Version 0.4.3 of Braindump, I Need More Functional Tests.
Yesterday, I shipped a new release of braindump. It was awesome. Until I tried to use it this morning and realized that notes were no longer being saved when you edit them. So today I cut a new release that fixes that bug, as well as implementing a new feature where you can see what notes you have shared in the past. This also addresses an issue with sharing notes, so you should be able to send notes via email again. Normally, when a product is being released on a regular cadence it is exciting. In this case, it just means that I really need more functional tests.
Post Mortem of Note Saving Bug
For those who are curious, I will document what happened in the hopes that it does not affect others in the future. Braindump was originally written using WTForms, which has CSRF protection built in so you don't have to think about it. Recently, I have begun transitioning away from WTForms in lieu of regular forms that are submitted via AJAX. The most visible benefit is that you can see and edit all of your notes from the main page, instead of having to click into each note in order to edit it. After switching to AJAX, I quickly realized that I was no longer sending a CSRF token with POST and PUT requests, which is probably a bad thing. I enabled it in the previous release. Even though I got this to work in the login and registration modal (which are true forms), I didn't consider the PUT request when editing a note. This is not a form at all, but a method that fires whenever you stop typing. Naturally, since there was no token and the endpoint was not marked as exempt, the response was a 400 error (missing CSRF token). My solution was to add the token as a meta tag to every page, and then send it along in the request headers of the AJAX call.Enable CSRF
// app/__init__.pycsrf = CsrfProtect()
def create_app(config_name): … csrf.init_app(app) …
return app
Token in the Header
// app/templates/app/app_base.html // This works because csrf_token() is in the global scope.<meta name=“csrf-token” content=" csrf_token() " />
AJAX Method to add the token before sending the PUT request.
// frontend/js/src/braindump.editor.jssaveNote: function(id, content) {
var csrftoken = $('meta[name=csrf-token]').attr('content') $.ajax({ beforeSend: function(xhr) { xhr.setRequestHeader("X-CSRFToken", csrftoken) }, url: `/edit/<span class="cp">${</span><span class="nb">id</span><span class="cp">}</span>`, data: JSON.stringify({ 'body': content, }), contentType: 'application/json', type: 'PUT', success: function (response) { console.log(response); }, error: function (error) { console.error(error); } });
},
Thank you for reading! Share your thoughts with me on mastodon or via email.
Check out some more stuff to read down below.
Most popular posts this month
- Daggerversary
- SQLite DB Migrations with PRAGMA user_version
- Moving to New Jersey
- Setting up ANTLR4 on Windows
- Forbidden Words
Recent Favorite Blog Posts
This is a collection of the last 8 posts that I bookmarked.
- Pluralistic: What the fuck is a PBM? (23 Sep 2024) from Pluralistic: Daily links from Cory Doctorow
- The Framework 13 has a new high-res screen! from David Heinemeier Hansson
- 40 Thoughts At 40 from Blog – Brad Frost
- To Blog or to Social-Post from jwz
- Gotchas with SQLite in Production from Anže’s Blog
- Petter Reinholdtsen: More than 200 orphaned Debian packages moved to git, 216 to go from Planet Debian
- Eli Bendersky: You don't need virtualenv in Go from Planet Python
- Introducing Writebook from Jason Fried
Articles from blogs I follow around the net
OpenAI Twitter account once again hacked and used to promote scam token
The Twitter account belonging to OpenAI's news account was compromised and used to "announce" a scam website purporting to announce the $OPENAI token. "All OpenAI users are eligible to claim a piece of $OPENAI’s initi…
via Web3 is Going Just Great September 23, 2024DNA Lounge: Wherein a winnar is us!
As foretold by prophecy, you the people have once again declared DNA Lounge to be "Best Nightclub", and Hubba Hubba Revue to be "Best Burlesque" in the 2024 Best of the Bay! Also "Best Pizza" runner-up for DNA Pizza, and "Best D…
via jwz September 23, 2024SmashingConf NYC
I’m extremely excited to be a part of Smashing Conf NYC coming up on October 7-10. I’ll be: If you’re in NYC or able to make it there, I hope you’re able to make it!
via Blog – Brad Frost September 23, 2024Generated by openring