What I’m looking to do is add parameters to an Ember Data save for for specific models. The parameters I’m looking to add will come from and ajax call to my Grails back-end, to generate a token for CSRF mitigation. One of the parameters will be the URL that will eventually be called by the save along with the CSRF token. In Grails these parameters are usually part of a form, and look like this:
<input type="hidden" name="SYNCHRONIZER_TOKEN" value="714af404-b10a-459b-9e09-663a6e4cf6b3" id="SYNCHRONIZER_TOKEN">
<input type="hidden" name="SYNCHRONIZER_URI" value="url the save function is going to use" id="SYNCHRONIZER_URI">
I’ve also posted this on stack overflow, then realized I might get more responses, or a quicker response here:
have you defined a model property for these values?
If so, have you tried to use .set(property, value) on it?
You may not need to have the hidden input if you set the CSRF token on the model instance and then call .save() on that instance. In the standard implementation this would trigger a PUT request on an existing resource and a POST request on a new resource.
in the normal case you would have to do the following:
Bind your form inputs to the ember-data model fields
in the (controller- or route) action handle set the previously received CSRF token as a model field using model.set(‘csrf_token’, CSRF-token) (you need to have defined csrf_token in your model)
But I haven’t got that to work as of yet. What I want is for the SYNCHRONIZER_TOKEN and SYNCHRONIZER_URI to be url query parameters, i.e. I don’t want them in the JSON map in the body of the save. The reason I want this is so I can just use the machinery built into Grails for checking and protecting against CSRF.
The hidden part is actually irrelevent that’s just how Grails chooses to handled it when it’s in a back-end generated page.
It maybe easier to tap in one level down at the ajax level jQuery.ajax() | jQuery API Documentation. I found it easier to put my CSRF stuff there rather than mess with ember data.
So I found a different way around. I have a mixin, that overrides the save function. I construct the url, and determine if I should do a post or put from the model(for the later ajax call), Then I pass the url to call in a back-end service I have, to generate up the token, then I send an ajax call based on that information, finally I put the result back in the store.