3 # Created as wrapper for CSRF tokens, but designed for more general use
5 # Copyright 2016 Rijksmuseum
7 # This file is part of Koha.
9 # Koha is free software; you can redistribute it and/or modify it under the
10 # terms of the GNU General Public License as published by the Free Software
11 # Foundation; either version 3 of the License, or (at your option) any later
14 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
15 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
16 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License along
19 # with Koha; if not, write to the Free Software Foundation, Inc.,
20 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 Koha::Token - Tokenizer
29 my $tokenizer = Koha::Token->new;
30 my $token = $tokenizer->generate({ length => 20 });
32 # safely generate a CSRF token (nonblocking)
33 my $csrf_token = $tokenizer->generate({
34 type => 'CSRF', id => $id, secret => $secret,
37 # or check a CSRF token
38 my $result = $tokenizer->check_csrf({
39 id => $id, secret => $secret, token => $token,
44 Designed for providing general tokens.
45 Created due to the need for a nonblocking call to Bytes::Random::Secure
46 when generating a CSRF token.
51 use Bytes
::Random
::Secure
();
52 use String
::Random
();
54 use base
qw(Class::Accessor);
55 use constant HMAC_SHA1_LENGTH
=> 20;
61 Create object (via Class::Accessor).
67 return $class->SUPER::new
();
72 my $token = $tokenizer->generate({ length => 20 });
73 my $csrf_token = $tokenizer->generate({
74 type => 'CSRF', id => $id, secret => $secret,
77 Generate several types of tokens. Now includes CSRF.
78 Room for future extension.
83 my ( $self, $params ) = @_;
84 if( $params->{type
} && $params->{type
} eq 'CSRF' ) {
85 $self->{lasttoken
} = _gen_csrf
( $params );
87 $self->{lasttoken
} = _gen_rand
( $params );
89 return $self->{lasttoken
};
94 Shortcut for: generate({ type => 'CSRF', ... })
99 my ( $self, $params ) = @_;
100 return $self->generate({ %$params, type
=> 'CSRF' });
105 my $result = $tokenizer->check({
106 type => 'CSRF', id => $id, secret => $secret, token => $token,
109 Check several types of tokens. Now includes CSRF.
110 Room for future extension.
115 my ( $self, $params ) = @_;
116 if( $params->{type
} && $params->{type
} eq 'CSRF' ) {
117 return _chk_csrf
( $params );
124 Shortcut for: check({ type => 'CSRF', ... })
129 my ( $self, $params ) = @_;
130 return $self->check({ %$params, type
=> 'CSRF' });
133 # --- Internal routines ---
137 # Since WWW::CSRF::generate_csrf_token does not use the NonBlocking
138 # parameter of Bytes::Random::Secure, we are passing random bytes from
139 # a non blocking source to WWW::CSRF via its Random parameter.
142 return if !$params->{id
} || !$params->{secret
};
145 my $randomizer = Bytes
::Random
::Secure
->new( NonBlocking
=> 1 );
146 # this is most fundamental: do not use /dev/random since it is
147 # blocking, but use /dev/urandom !
148 my $random = $randomizer->bytes( HMAC_SHA1_LENGTH
);
149 my $token = WWW
::CSRF
::generate_csrf_token
(
150 $params->{id
}, $params->{secret
}, { Random
=> $random },
158 return if !$params->{id
} || !$params->{secret
} || !$params->{token
};
160 my $csrf_status = WWW
::CSRF
::check_csrf_token
(
165 return $csrf_status == WWW
::CSRF
::CSRF_OK
();
170 my $length = $params->{length} || 1;
171 $length = 1 unless $length > 0;
173 return String
::Random
::random_string
( '.' x
$length );
178 Marcel de Rooy, Rijksmuseum Amsterdam, The Netherlands