Catalyst::Controller::RequestToken - Handling transaction tokens across forms
requires Catalyst::Plugin::Session module, in your application class:
use Catalyst qw/ Session Session::State::Cookie Session::Store::FastMmap FillInForm /;
in your controller class:
use base qw(Catalyst::Controller::RequestToken); sub form :Local { my ($self, $c) = @_; $c->stash( template => 'form.tt' ); } sub confirm :Local :CreateToken { my ($self, $c) = @_; $c->stash( template => 'confirm.tt' ); } sub complete :Local :ValidateToken { my ($self, $c) = @_; if ($self->valid_token($c)) { $c->response->body('complete.'); } eles { $c->response->body('invalid operation.'); } }
form.tt
<html> <body> <form action="confirm" method="post"> <input type="submit" name="submit" value="confirm"/> </form> </body> </html>
confirm.tt
<html> <body> <form action="complete" method="post"> <input type="hidden" name="_token" values="[% c.req.param('_token') %]"/> <input type="submit" name="submit" value="complete"/> </form> </body> </html>
This controller enables to enforce a single transaction across multiple forms. Using a token, you can prevent duplicate submits and protect your app from CSRF atacks.
This module REQUIRES Catalyst::Plugin::Session to store server side token.
Creates a new token and puts it into request and session. You can return content with request token which should be posted to server.
After CreateToken, clients will post token request, so you need to validate whether it is correct or not.
The ValidateToken attribute wil make your action validate the request token by comparing it to the session token which is created by the CreateToken attribute.
If the token is valid, the server-side token will be expired. Use is_valid_token() to check wheter the token in this request was valid or not.
Removes the token from the session. The request token will no longer be valid.
All methods must be passed the request context as their first parameter.
Return whether token is valid or not. This will work correctly only after ValidateToken.
in your application class:
__PACKAGE__->config('Controller::TokenBasedMyController' => { session_name => '_token', request_name => '_token', });
Default: _token
Hideo Kimura <<hide<at>hide-k.net>>
<<hide<at>hide-k.net>>
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
The full text of the license can be found in the LICENSE file included with this module.
To install Catalyst::Controller::RequestToken, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Catalyst::Controller::RequestToken
CPAN shell
perl -MCPAN -e shell install Catalyst::Controller::RequestToken
For more information on module installation, please visit the detailed CPAN module installation guide.