Bug 14187 - DBRev 16.12.00.002
[koha.git] / Koha / Token.pm
blobe60ee1f4fcb677360824297990f321d97a39ee26
1 package Koha::Token;
3 # Created as wrapper for CSRF tokens, but designed for more general use
5 # Copyright 2016 Rijksmuseum
7 # This file is part of Koha.
9 # Koha is free software; you can redistribute it and/or modify it under the
10 # terms of the GNU General Public License as published by the Free Software
11 # Foundation; either version 3 of the License, or (at your option) any later
12 # version.
14 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
15 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
16 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License along
19 # with Koha; if not, write to the Free Software Foundation, Inc.,
20 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 =head1 NAME
24 Koha::Token - Tokenizer
26 =head1 SYNOPSIS
28 use Koha::Token;
29 my $tokenizer = Koha::Token->new;
30 my $token = $tokenizer->generate({ length => 20 });
32 # safely generate a CSRF token (nonblocking)
33 my $csrf_token = $tokenizer->generate({
34 type => 'CSRF', id => $id, secret => $secret,
35 });
37 # or check a CSRF token
38 my $result = $tokenizer->check_csrf({
39 id => $id, secret => $secret, token => $token,
40 });
42 =head1 DESCRIPTION
44 Designed for providing general tokens.
45 Created due to the need for a nonblocking call to Bytes::Random::Secure
46 when generating a CSRF token.
48 =cut
50 use Modern::Perl;
51 use Bytes::Random::Secure ();
52 use String::Random ();
53 use WWW::CSRF ();
54 use base qw(Class::Accessor);
55 use constant HMAC_SHA1_LENGTH => 20;
56 use constant CSRF_EXPIRY_HOURS => 8; # 8 hours instead of 7 days..
58 =head1 METHODS
60 =head2 new
62 Create object (via Class::Accessor).
64 =cut
66 sub new {
67 my ( $class ) = @_;
68 return $class->SUPER::new();
71 =head2 generate
73 my $token = $tokenizer->generate({ length => 20 });
74 my $csrf_token = $tokenizer->generate({
75 type => 'CSRF', id => $id, secret => $secret,
76 });
78 Generate several types of tokens. Now includes CSRF.
79 Room for future extension.
81 =cut
83 sub generate {
84 my ( $self, $params ) = @_;
85 if( $params->{type} && $params->{type} eq 'CSRF' ) {
86 $self->{lasttoken} = _gen_csrf( $params );
87 } else {
88 $self->{lasttoken} = _gen_rand( $params );
90 return $self->{lasttoken};
93 =head2 generate_csrf
95 Shortcut for: generate({ type => 'CSRF', ... })
97 =cut
99 sub generate_csrf {
100 my ( $self, $params ) = @_;
101 return $self->generate({ %$params, type => 'CSRF' });
104 =head2 check
106 my $result = $tokenizer->check({
107 type => 'CSRF', id => $id, secret => $secret, token => $token,
110 Check several types of tokens. Now includes CSRF.
111 Room for future extension.
113 =cut
115 sub check {
116 my ( $self, $params ) = @_;
117 if( $params->{type} && $params->{type} eq 'CSRF' ) {
118 return _chk_csrf( $params );
120 return;
123 =head2 check_csrf
125 Shortcut for: check({ type => 'CSRF', ... })
127 =cut
129 sub check_csrf {
130 my ( $self, $params ) = @_;
131 return $self->check({ %$params, type => 'CSRF' });
134 # --- Internal routines ---
136 sub _gen_csrf {
138 # Since WWW::CSRF::generate_csrf_token does not use the NonBlocking
139 # parameter of Bytes::Random::Secure, we are passing random bytes from
140 # a non blocking source to WWW::CSRF via its Random parameter.
142 my ( $params ) = @_;
143 return if !$params->{id} || !$params->{secret};
146 my $randomizer = Bytes::Random::Secure->new( NonBlocking => 1 );
147 # this is most fundamental: do not use /dev/random since it is
148 # blocking, but use /dev/urandom !
149 my $random = $randomizer->bytes( HMAC_SHA1_LENGTH );
150 my $token = WWW::CSRF::generate_csrf_token(
151 $params->{id}, $params->{secret}, { Random => $random },
154 return $token;
157 sub _chk_csrf {
158 my ( $params ) = @_;
159 return if !$params->{id} || !$params->{secret} || !$params->{token};
161 my $csrf_status = WWW::CSRF::check_csrf_token(
162 $params->{id},
163 $params->{secret},
164 $params->{token},
165 { MaxAge => $params->{MaxAge} // ( CSRF_EXPIRY_HOURS * 3600 ) },
167 return $csrf_status == WWW::CSRF::CSRF_OK();
170 sub _gen_rand {
171 my ( $params ) = @_;
172 my $length = $params->{length} || 1;
173 $length = 1 unless $length > 0;
175 return String::Random::random_string( '.' x $length );
178 =head1 AUTHOR
180 Marcel de Rooy, Rijksmuseum Amsterdam, The Netherlands
182 =cut