/usr/share/perl5/HTML/FormFu/Element/RequestToken.pm is in libcatalyst-controller-html-formfu-perl 2.02-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 | package HTML::FormFu::Element::RequestToken;
use strict;
our $VERSION = '2.02'; # VERSION
use Moose;
use MooseX::Attribute::FormFuChained;
extends 'HTML::FormFu::Element::Text';
use HTML::FormFu::Util qw( process_attrs );
use Carp qw( croak );
has expiration_time => ( is => 'rw', traits => ['FormFuChained'], default => 3600 );
has session_key => ( is => 'rw', traits => ['FormFuChained'], default => '__token' );
has context => ( is => 'rw', traits => ['FormFuChained'], default => 'context' );
has limit => ( is => 'rw', traits => ['FormFuChained'], default => 20 );
has message => ( is => 'rw', traits => ['FormFuChained'], default => 'Form submission failed. Please try again.' );
after BUILD => sub {
my $self = shift;
$self->name('_token');
$self->constraints([qw(RequestToken Required)]);
$self->field_type('hidden');
};
sub process_value {
my ($self, $value) = @_;
return $self->verify_token($value) ? $value
: $self->value($self->get_token)->value;
}
sub verify_token {
my ($self, $token) = @_;
return unless($token);
my $form = $self->form;
croak "verify_token() can only be called if form has been submitted"
if !$form->submitted;
my $field_name = $self->name;
my $c = $self->form->stash->{ $self->context };
for ( @{ $c->session->{ $self->session_key } || [] } ) {
return 1 if ( $_->[0] eq $token );
}
return;
}
sub expire_token {
my ($self) = @_;
my $c = $self->form->stash->{ $self->context };
my @token;
for ( @{ $c->session->{ $self->session_key } || [] } ) {
push( @token, $_ ) if ( $_->[1] > time );
}
@token = splice(@token, -$self->limit, $self->limit) if(@token > $self->limit);
$c->session->{ $self->session_key } = \@token;
}
sub get_token {
my ($self) = @_;
my $token;
my $c = $self->form->stash->{ $self->context };
my @chars = ( 'a' .. 'z', 0 .. 9 );
$token .= $chars[ int( rand() * 36 ) ] for ( 0 .. 15 );
$c->session->{ $self->session_key } ||= [];
push @{ $c->session->{ $self->session_key } },
[ $token, time + $self->expiration_time ];
$self->expire_token;
return $token;
}
1;
__END__
=head1 NAME
HTML::FormFu::Element::RequestToken - Hidden text field which contains a unique
token
=head1 VERSION
version 2.02
=head1 SYNOPSIS
my $e = $form->element( { type => 'Token' } );
my $p = $form->element( { plugin => 'Token' } );
=head1 DESCRIPTION
This field can prevent CSRF attacks. It contains a random token. After
submission the token is checked with the token which is stored in the session
of the current user.
See L<Catalyst::Controller::HTML::FormFu/"request_token_enable"> for a
convenient way how to use it.
=head1 ATTRIBUTES
=head2 context
Value of the stash key for the Catalyst context object (C<< $c >>).
Defaults to C<context>.
=head2 expiration_time
Time to life for a token in seconds. Defaults to C<3600>.
=head2 session_key
Session key which is used to store the tokens. Defaults to C<__token>.
=head2 limit
Limit the number of tokens which are kept in the session. Defaults to 20.
=head2 constraints
Defaults to L<HTML::FormFu::Constraint::RequestToken> and L<HTML::FormFu::Constraint::Required>.
=head2 message
Set the error message.
=head1 METHODS
=head2 expire_token
This method looks in the session for expired tokens and removes them.
=head2 get_token
Generates a new token and stores it in the stash.
=head2 verify_token
Checks whether a given token is already in the session. Returns C<1> if it exists, C<0> otherwise.
=head1 SEE ALSO
L<Catalyst::Controller::HTML::FormFu>,
L<HTML::FormFu::Plugin::RequestToken>,
L<HTML::FormFu::Constraint::RequestToken>
L<HTML::FormFu>
=head1 AUTHOR
Moritz Onken, C<onken@houseofdesign.de>
=head1 LICENSE
This library is free software, you can redistribute it and/or modify it under
the same terms as Perl itself.
|