<<

NAME

Koha::App::Plugin::CSRF

SYNOPSIS

    $app->plugin('CSRF');

DESCRIPTION

Enables CSRF protection in a Mojolicious app

METHODS

register

Called by Mojolicious when the plugin is loaded.

Defines an `around_action` hook that will prevent CSRF attacks.

If the HTTP request method is safe (GET, HEAD, OPTIONS, TRACE) and the request contains an `op` parameter whose value starts with "cud-" (which means it's a Create, Update or Delete operation), it will immediately return a 400 response.

If the HTTP request method is unsafe (POST, PUT, DELETE, PATCH, CONNECT) and the request contains an `op` parameter whose value does not start with "cud-", it will immediately return a 400 response.

If the HTTP request method is unsafe (POST, PUT, DELETE, PATCH, CONNECT) and the CGISESSID cookie is set, the CSRF token is checked. A 403 response is immediately returned if the CSRF token is missing or invalid. If the CGISESSID cookie is missing, it means that we are not authenticated or we are authenticated to the API by another method (HTTP basic or OAuth2). In this case, no verification is done.

is_csrf_valid

Checks if a CSRF token exists and is valid

    $is_valid = $plugin->is_csrf_valid($req)

$req must be a Mojo::Message::Request object

<<