entd: require a per-entd-invocation session id in every request

callback_server.cc

Index: callback_server.cc
diff --git a/callback_server.cc b/callback_server.cc
index b5bfaee7612e5b67ef03e764d120086a8c47a72a..ac98b925c3480d2481754e6b5eb7ffa6578b2bdb 100644
--- a/callback_server.cc
+++ b/callback_server.cc
@@ -12,6 +12,8 @@ namespace entd {
 
 using std::string;
 
+std::string CallbackServer::session_id_;
+
 namespace {
 // Max 1k request entity
 const int kMaxRequestSize = 1024;
@@ -32,9 +34,6 @@ const uint32_t kMaxPort      = 5999;
 // Incoming requests must have this content type
 const std::string kContentType = "application/json; charset=UTF-8";
 
-// Default value of request_header_value_
-const std::string kDefaultRequestHeaderValue = "magic";
-
 // Callback functions must have this prefix, so we can avoid dispatching
 // against default properties that aren't actually intended to be callbacks.
 const std::string kCallbackPrefix = "cb:";
@@ -108,22 +107,6 @@ v8::Handle<v8::Value> dispatch_Stop(const v8::Arguments& args) {
   return v8::Undefined();
 }
 
-// Called by v8 when someone trys to read from callbackServer.requestHeaderValue
-v8::Handle<v8::Value> dispatch_GetRequestHeaderValue(
-    v8::Local<v8::String> name,
-    const v8::AccessorInfo& info) {
-  CallbackServer* cs = CallbackServer::Unwrap(info.Holder());
-  return v8::String::New(cs->request_header_value().c_str());
-}
-
-// Called by v8 when someone trys to assign to callbackServer.requestHeaderValue
-void dispatch_SetRequestHeaderValue(v8::Local<v8::String> name,
-                                    v8::Local<v8::Value> value,
-                                    const v8::AccessorInfo& info) {
-  CallbackServer* cs = CallbackServer::Unwrap(info.Holder());
-  cs->set_request_header_value(*v8::String::Utf8Value(value));
-}
-
 }  // namespace
 
 std::string CallbackServer::required_origin = "";
@@ -131,7 +114,6 @@ std::string CallbackServer::required_origin = "";
 CallbackServer::CallbackServer(Entd* entd)
     : busy_(false),
       entd_(entd),
-      request_header_value_(kDefaultRequestHeaderValue),
       evhttp_(NULL)
 {}
 
@@ -147,9 +129,6 @@ void CallbackServer::SetTemplateBindings(
                        v8::FunctionTemplate::New(dispatch_Start));
   template_object->Set(v8::String::NewSymbol("stop"),
                        v8::FunctionTemplate::New(dispatch_Stop));
-  template_object->SetAccessor(v8::String::NewSymbol("requestHeaderValue"),
-                               dispatch_GetRequestHeaderValue,
-                               dispatch_SetRequestHeaderValue);
 }
 
 void CallbackServer::OnRequest(struct evhttp_request* request) {
@@ -183,12 +162,12 @@ void CallbackServer::OnRequest(struct evhttp_request* request) {
     return;
   }
 
-  // This header must be present, since Chrome's XMLHttpRequest object
-  // won't let you set an unknown header for cross domain XHR.
-  header = evhttp_find_header(request->input_headers, "X-Entd-Request");
-  if (!header || strcmp(request_header_value_.c_str(), header) != 0) {
-    LOG(ERROR) << "Bad or missing X-Entd-Request header";
-    evhttp_send_error(request, kHttpBadRequest, "Bad X-Entd-Request header");
+  // Check the session ID.
+  header = evhttp_find_header(request->input_headers, "X-Entd-Session-Id");
+  if (!header || header != session_id_) {
+    LOG(ERROR) << "Bad or missing X-Entd-Session-Id header: " << header;
+    evhttp_send_error(request, kHttpBadRequest,
+                      "Bad or missing session id header");
     return;
   }