feat(csrf) enable csrf token in other way than ruby's one

ng-upload.js

@@ -58,8 +58,8 @@ angular.module('ngUpload', [])
       }
     };
   }])
-  .directive('ngUpload', ["$log", "$parse", "$document",
-    function ($log, $parse, $document) {
+  .directive('ngUpload', ["$log", "$parse", "$document", "$browser", "$http",
+    function ($log, $parse, $document, $browser, $http) {
     var iframeID = 1;
     // Utility function to get meta tag with a given name attribute
     function getMetaTagWithName(name) {
@@ -75,6 +75,10 @@ angular.module('ngUpload', [])
       return angular.element(match);
     }
 
+    function getCsrfTokenValue() {
+      return $browser.cookies()[$http.defaults.xsrfCookieName || 'X-XSRF-TOKEN'];
+    }
+
     return {
       restrict: 'AC',
       link: function (scope, element, attrs) {
@@ -110,6 +114,11 @@ angular.module('ngUpload', [])
             options.beforeSubmit = $parse(attrs.uploadOptionsBeforeSubmit);
         }
 
+        if ( attrs.hasOwnProperty( "uploadOptionsEnableCsrf" ) ) {
+            // allow for blank or true
+            options.enableCsrf = attrs.uploadOptionsEnableCsrf != "false";
+        }
+
         element.attr({
           'target': 'upload-iframe-' + iframeID,
           'method': 'post',
@@ -133,6 +142,17 @@ angular.module('ngUpload', [])
 
           element.append(input);
         }
+
+        if ( options.enableCsrf ) {
+          var input = angular.element("<input />");
+          input.attr("class", "upload-csrf-token");
+          input.attr("type", "hidden");
+          input.attr("name", attrs.uploadOptionsCsrfParam || 'CSRFToken');
+          input.val(getCsrfTokenValue());
+
+          element.append(input);
+        }
+
         element.after(iframe);
 
         setLoadingState(false);

readme.md

@@ -149,6 +149,10 @@ In order, for ngUpload to respond correctly for IE, your server needs to return
 * `upload-options-enable-rails-csrf`: Turns on support for [Rails' CSRF](http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
                                by adding a hidden form field with the csrf token.
 
+* `upload-options-enable-csrf`: Turns on support for CSRF by adding a hidden form field with the csrf token fetched from cookies as configured in [$httpProvider.defaults.xsrfCookieName](https://docs.angularjs.org/api/ng/provider/$httpProvider).
+
+* `upload-options-csrf-param`: Name of the csrf parameter to be sent while submitting form (Default value: "CSRFToken"). Only usable with `upload-options-enable-csrf` option.
+
 * `upload-options-before-submit`: function that gets triggered before the upload starts and if the function returns false it will cancel the submit.
 
 ### uploadSubmit

test/ngUploadCsrfSpec.js

@@ -0,0 +1,71 @@
+// ngUpload as directive and input submit
+describe('ngUpload', function() {
+  var scope, $compile, $http, $browser;
+  beforeEach(module('ngUpload'));
+  beforeEach(inject(function($rootScope, _$compile_, _$browser_, _$http_) {
+    $browser = _$browser_;
+    $browser.cookies('X-XSRF-TOKEN', 'the-token');
+    scope = $rootScope;
+    $compile = _$compile_;
+    $http = _$http_;
+  }));
+
+  function submit(element) {
+    element[0].getElementsByClassName('submit-button')[0].click();
+  }
+
+  function compile(template) {
+    var elm = angular.element(template);
+    $compile(elm)(scope);
+    return elm;
+  }
+
+  function getHiddenField(element) {
+    return element[0].getElementsByClassName('upload-csrf-token')[0];
+  }
+
+  it('should set csrf hidden field with csrf token from cookie', function() {
+    var form = compile(
+        '<div>' +
+        '<form action="/upload" ng-upload="foo()" upload-options-enable-csrf>' +
+        '<input type="file" name="foo"></input>' +
+        '<input class="submit-button" type="submit" value="submit"></input>' +
+        '</form>' +
+        '</div>');
+    submit(form);
+
+    var hiddenField = getHiddenField(form);
+    expect(hiddenField).toBeDefined();
+    expect(hiddenField.getAttribute('value')).toBe('the-token');
+    expect(hiddenField.getAttribute('name')).toBe('CSRFToken');
+  });
+
+  it('should get csrf param name from a specific attribute', function()  {
+    var form = compile(
+        '<div>' +
+        '<form action="/upload" ng-upload="foo()" upload-options-enable-csrf upload-options-csrf-param="csrf-token-parameter">' +
+        '<input type="file" name="foo"></input>' +
+        '<input class="submit-button" type="submit" value="submit"></input>' +
+        '</form>' +
+        '</div>');
+    submit(form);
+
+    expect(getHiddenField(form).getAttribute('name')).toBe('csrf-token-parameter');
+  });
+
+  it('should get csrf token from cookies according to configured xsrfCookieName', function()  {
+    $http.defaults.xsrfCookieName = 'another.cookie.name';
+    $browser.cookies('another.cookie.name', 'another-token');
+    var form = compile(
+        '<div>' +
+        '<form action="/upload" ng-upload="foo()" upload-options-enable-csrf upload-options-csrf-param="csrf-token-parameter">' +
+        '<input type="file" name="foo"></input>' +
+        '<input class="submit-button" type="submit" value="submit"></input>' +
+        '</form>' +
+        '</div>');
+    submit(form);
+
+    expect(getHiddenField(form).getAttribute('value')).toBe('another-token');
+  });
+
+});