[html-formfu] Include Catalyst::Controller::RequestToken in C::C::HTML::FormFu

Carl Franks fireartist at gmail.com
Thu Jan 15 14:36:45 GMT 2009 

2009/1/15  <onken at houseofdesign.de>:
>
> Hi,
>
> what do you think about including
> http://search.cpan.org/perldoc?Catalyst::Controller::RequestToken in the
> FormFu controller?
> CSRF is a serious problem and RequestToken can protect you against that
> threat.
>
> If you think this is a good idea I will start writing a patch for the
> controller.
>
> This is how I would do it:
>
> * RequestToken expects a field with the name "_token" to be present so I
> will add this as a hidden field by default.
> * this field has a constraint attached which checks whether the token is
> valid.
> * This feature is disabled by default for backwards compatibility.
> * enable this feature with __PACKAGE__->config->{token}

I really like this idea.

I would suggest putting the bulk of the logic in a Plugin
(HTML::FormFu::Plugin::RequestToken) that runs during process(), that
checks to see if the hidden field exists, and if not adds it, and then
checks to see if the constraint exists, and if not adds it.

Otherwise, there would be problems with adding the field automatically
in C::C::HTML::FormFu, because if fields are added before the form
config is loaded, the xhtml will be invalid if the field isn't within
a fieldset. And I can't really see any way to handle that nicely for
$self->form() which returns a form with no config loaded yet.

So the only thing the code in C::C::HTML::FormFu should need to do is
add the Plugin to each form during $controller->_common_construction.
( or $controller->_form() if it isn't suitable for MultiForm's - I
haven't looked at it closely enough to figure that out).
And of course, that would be configurable/

So maybe the following config options...
request_token_enable     # 0 by default
request_token_add_plugin # 1 by default

Looking at C::C::RequestToken some more... I don't think it would be
appropriate for C::C::HTML::FormFu to inherit from C::C::RequestToken
- so I think you'd need to make it a requirement that the user's
application inherit from C::C::RequestToken.

Nice idea!
Cheers,
Carl

More information about the HTML-FormFu mailing list