From dbffa66b6d7fb9addad146da32db4207ec664a7f Mon Sep 17 00:00:00 2001
From: Tim Abbott <tabbott@zulipchat.com>
Date: Sun, 16 Dec 2018 15:15:52 -0800
Subject: [PATCH] js: Extract csrf.js and include in common bundle.

This should make it possible to use this AJAX setup code in logged-out
code as well, which is necessary to use blueslip from portico pages.
---
 .eslintrc.json            |  1 +
 static/js/csrf.js         | 15 +++++++++++++++
 static/js/setup.js        | 16 ++--------------
 tools/webpack.assets.json |  1 +
 4 files changed, 19 insertions(+), 14 deletions(-)
 create mode 100644 static/js/csrf.js

diff --git a/.eslintrc.json b/.eslintrc.json
index aa69543962..f99b035148 100644
--- a/.eslintrc.json
+++ b/.eslintrc.json
@@ -52,6 +52,7 @@
         "condense": false,
         "confirm_dialog": false,
         "copy_and_paste": false,
+        "csrf": false,
         "csrf_token": false,
         "current_msg_list": true,
         "drafts": false,
diff --git a/static/js/csrf.js b/static/js/csrf.js
new file mode 100644
index 0000000000..fb83de565a
--- /dev/null
+++ b/static/js/csrf.js
@@ -0,0 +1,15 @@
+var csrf_token;
+$(function () {
+    // This requires that we used Jinja2's {% csrf_input %} somewhere on the page.
+    csrf_token = $('input[name="csrfmiddlewaretoken"]').attr('value');
+    window.csrf_token = csrf_token;
+
+    $.ajaxSetup({
+        beforeSend: function (xhr, settings) {
+            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
+                // Only send the token to relative URLs i.e. locally.
+                xhr.setRequestHeader("X-CSRFToken", csrf_token);
+            }
+        },
+    });
+});
diff --git a/static/js/setup.js b/static/js/setup.js
index b4aef5bd4f..4cbc581be5 100644
--- a/static/js/setup.js
+++ b/static/js/setup.js
@@ -1,7 +1,8 @@
 // Miscellaneous early setup.
 
-var csrf_token;
 $(function () {
+    csrf.initialize();
+
     if (util.is_mobile()) {
         // if the client is mobile, disable websockets for message sending
         // (it doesn't work on iOS for some reason).
@@ -19,10 +20,6 @@ $(function () {
     } else if (!page_params.needs_tutorial) {
         $('#first_run_message').show();
     }
-    // This requires that we used Django's {% csrf_token %} somewhere on the page.
-    csrf_token = $('input[name="csrfmiddlewaretoken"]').attr('value');
-    window.csrf_token = csrf_token;
-
 
     // This is an issue fix where in jQuery v3 the result of outerHeight on a node
     // that doesn’t exist is now “undefined” rather than “null”, which means it
@@ -37,15 +34,6 @@ $(function () {
         return $(this).outerWidth.apply(this, arguments) || 0;
     };
 
-    $.ajaxSetup({
-        beforeSend: function (xhr, settings) {
-            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
-                // Only send the token to relative URLs i.e. locally.
-                xhr.setRequestHeader("X-CSRFToken", csrf_token);
-            }
-        },
-    });
-
     // For some reason, jQuery wants this to be attached to an element.
     $(document).ajaxError(function (event, xhr) {
         if (xhr.status === 401) {
diff --git a/tools/webpack.assets.json b/tools/webpack.assets.json
index 00e0258a15..2222e1d7a6 100644
--- a/tools/webpack.assets.json
+++ b/tools/webpack.assets.json
@@ -37,6 +37,7 @@
         "string.prototype.codepointat",
         "./node_modules/jquery/dist/jquery.js",
         "./node_modules/underscore/underscore.js",
+        "./static/js/csrf.js",
         "./static/js/blueslip.js",
         "./static/third/bootstrap/js/bootstrap.js",
         "./static/js/common.js",