[catagits/Catalyst-Plugin-RequireSSL.git] / lib / Catalyst / Plugin / RequireSSL.pm

package Catalyst::Plugin::RequireSSL;

use strict;
use base qw/Class::Accessor::Fast/;
use MRO::Compat;

our $VERSION = '0.07';

__PACKAGE__->mk_accessors( qw/_require_ssl _allow_ssl _ssl_strip_output/ );

sub require_ssl {
    my $c = shift;

    $c->_require_ssl(1);

    if ( !$c->req->secure && $c->req->method ne "POST" ) {
        my $redir = $c->_redirect_uri('https');
        if ( $c->config->{require_ssl}->{disabled} ) {
            $c->log->warn( "RequireSSL: Would have redirected to $redir" );
        }
        else {
            $c->_ssl_strip_output(1);
            $c->res->redirect( $redir );
            $c->detach if $c->config->{require_ssl}->{detach_on_redirect};
        }
    }
}

sub allow_ssl {
    my $c = shift;

    $c->_allow_ssl(1);
}

sub finalize {
    my $c = shift;
    
    # Do not redirect static files (only works with Static::Simple)
    if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) {
        return $c->next::method(@_) if $c->_static_file;
    }
    
    # redirect back to non-SSL mode
    REDIRECT:
    {
        # No redirect if:
        # we're not in SSL mode
        last REDIRECT if !$c->req->secure;
        # it's a POST request
        last REDIRECT if $c->req->method eq "POST";
        # we're already required to be in SSL for this request
        last REDIRECT if $c->_require_ssl;
        # or the user doesn't want us to redirect
        last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl} || $c->_allow_ssl;
        
        $c->res->redirect( $c->_redirect_uri('http') );
    }

    # do not allow any output to be displayed on the insecure page
    if ( $c->_ssl_strip_output ) {
        $c->res->body( '' );
    }

    return $c->next::method(@_);
}

sub setup {
    my $c = shift;

    $c->next::method(@_);

    # disable the plugin when running under certain engines which don't
    # support SSL
    if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) {
        $c->config->{require_ssl}->{disabled} = 1;
        $c->log->warn( "RequireSSL: Disabling SSL redirection while running "
                     . "under " . $c->engine );
    }
}

sub _redirect_uri {
    my ( $c, $type ) = @_;

    if ( !$c->config->{require_ssl}->{$type} ) {
        my $req_uri = $c->req->uri;
        $c->config->{require_ssl}->{$type} =
          join(':', $req_uri->host, $req_uri->_port);
    }

    $c->config->{require_ssl}->{$type} =~ s/\/+$//;

    my $redir = $c->req->uri->clone;
    $redir->scheme($type);
    $redir->host_port($c->config->{require_ssl}->{$type});

    if ( $c->config->{require_ssl}->{no_cache} ) {        
        delete $c->config->{require_ssl}->{$type};
    }
    
    return $redir;
}

1;
__END__

=head1 NAME

Catalyst::Plugin::RequireSSL - Force SSL mode on select pages

=head1 SYNOPSIS

    # in MyApp.pm
    use Catalyst qw/
        RequireSSL
    /;
    __PACKAGE__->config(
        require_ssl => {
            https => 'secure.mydomain.com',
            http => 'www.mydomain.com',
            remain_in_ssl => 0,
            no_cache => 0,
            detach_on_redirect => 1,
        },
    );
    __PACKAGE__->setup;


    # in any controller methods that should be secured
    $c->require_ssl;

=head1 DESCRIPTION

B<Note:> This module is considered to be deprecated for most purposes. Consider
using L<Catalyst::ActionRole::RequireSSL> instead.

Use this plugin if you wish to selectively force SSL mode on some of your web
pages, for example a user login form or shopping cart.

Simply place $c->require_ssl calls in any controller method you wish to be
secured. 

This plugin will automatically disable itself if you are running under the
standalone HTTP::Daemon Catalyst server.  A warning message will be printed to
the log file whenever an SSL redirect would have occurred.

=head1 WARNINGS

If you utilize different servers or hostnames for non-SSL and SSL requests,
and you rely on a session cookie to determine redirection (i.e for a login
page), your cookie must be visible to both servers.  For more information, see
the documentation for the Session plugin you are using.

=head1 CONFIGURATION

Configuration is optional.  You may define the following configuration values:

    https => $ssl_host
    
If your SSL domain name is different from your non-SSL domain, set this value.

    http => $non_ssl_host
    
If you have set the https value above, you must also set the hostname of your
non-SSL server.

    remain_in_ssl
    
If you'd like your users to remain in SSL mode after visiting an SSL-required
page, you can set this option to 1.  By default, this option is disabled and
users will be redirected back to non-SSL mode as soon as possible.

    no_cache 

If you have a wildcard certificate you will need to set this option if you are
using multiple domains on one instance of Catalyst.

    detach_on_redirect 

By default C<< $c->require_ssl >> only calls C<< $c->response->redirect >> but
does not stop request processing (so it returns and subsequent statements are
run). This is probably not what you want. If you set this option to a true
value C<< $c->require_ssl >> will call C<< $c->detach >> when it redirects.

=head1 METHODS

=head2 require_ssl

Call require_ssl in any controller method you wish to be secured.

    $c->require_ssl;

The browser will be redirected to the same path on your SSL server.  POST
requests are never redirected.

=head2 allow_ssl

Call allow_ssl in any controller method you wish to access both in SSL and
non-SSL mode.

    $c->allow_ssl;

The browser will not be redirected, independently of whether the request was
made to the SSL or non-SSL server.

=head2 setup

Disables this plugin if running under an engine which does not support SSL.

=head2 finalize

Performs the redirect to SSL url if required.

=head1 KNOWN ISSUES

When viewing an SSL-required page that uses static files served from the
Static plugin, the static files are redirected to the non-SSL path.

In order to get the correct behaviour where static files are not redirected,
you should use the Static::Simple plugin or always serve static files
directly from your web server.

=head1 SEE ALSO

L<Catalyst>, L<Catalyst::ActionRole::RequireSSL>,
L<Catalyst::Plugin::Static::Simple>

=head1 AUTHOR

Andy Grundman, <andy@hybridized.org>

=head1 CONTRIBUTORS

Simon Elliott <simon@browsing.co.uk> (support for wildcards)

=head1 COPYRIGHT

This program is free software, you can redistribute it and/or modify it under
the same terms as Perl itself.

=cut
Commit	Line	Data
1763fe29	1	package Catalyst::Plugin::RequireSSL;
	2
	3	use strict;
	4	use base qw/Class::Accessor::Fast/;
962fe7ef	5	use MRO::Compat;
1763fe29	6
9caebfc0	7	our $VERSION = '0.07';
1763fe29	8
c4744895	9	__PACKAGE__->mk_accessors( qw/_require_ssl _allow_ssl _ssl_strip_output/ );
eeefd598	10
	11	sub require_ssl {
	12	my $c = shift;
	13
	14	$c->_require_ssl(1);
	15
	16	if ( !$c->req->secure && $c->req->method ne "POST" ) {
	17	my $redir = $c->_redirect_uri('https');
	18	if ( $c->config->{require_ssl}->{disabled} ) {
	19	$c->log->warn( "RequireSSL: Would have redirected to $redir" );
	20	}
	21	else {
4585dfb1	22	$c->_ssl_strip_output(1);
eeefd598	23	$c->res->redirect( $redir );
794abe2a	24	$c->detach if $c->config->{require_ssl}->{detach_on_redirect};
eeefd598	25	}
	26	}
	27	}
	28
c4744895	29	sub allow_ssl {
	30	my $c = shift;
	31
	32	$c->_allow_ssl(1);
	33	}
	34
eeefd598	35	sub finalize {
	36	my $c = shift;
	37
	38	# Do not redirect static files (only works with Static::Simple)
	39	if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) {
962fe7ef	40	return $c->next::method(@_) if $c->_static_file;
eeefd598	41	}
	42
	43	# redirect back to non-SSL mode
	44	REDIRECT:
	45	{
	46	# No redirect if:
	47	# we're not in SSL mode
	48	last REDIRECT if !$c->req->secure;
	49	# it's a POST request
	50	last REDIRECT if $c->req->method eq "POST";
	51	# we're already required to be in SSL for this request
	52	last REDIRECT if $c->_require_ssl;
	53	# or the user doesn't want us to redirect
c4744895	54	last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl} \|\| $c->_allow_ssl;
eeefd598	55
	56	$c->res->redirect( $c->_redirect_uri('http') );
	57	}
	58
4585dfb1	59	# do not allow any output to be displayed on the insecure page
4585dfb1	60	if ( $c->_ssl_strip_output ) {
cc4f2717	61	$c->res->body( '' );
4585dfb1	62	}
4585dfb1	63
962fe7ef	64	return $c->next::method(@_);
eeefd598	65	}
	66
	67	sub setup {
	68	my $c = shift;
	69
962fe7ef	70	$c->next::method(@_);
eeefd598	71
	72	# disable the plugin when running under certain engines which don't
	73	# support SSL
cae2ad7f	74	if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) {
eeefd598	75	$c->config->{require_ssl}->{disabled} = 1;
	76	$c->log->warn( "RequireSSL: Disabling SSL redirection while running "
	77	. "under " . $c->engine );
	78	}
	79	}
	80
	81	sub _redirect_uri {
	82	my ( $c, $type ) = @_;
	83
eeefd598	84	if ( !$c->config->{require_ssl}->{$type} ) {
61b31739	85	my $req_uri = $c->req->uri;
	86	$c->config->{require_ssl}->{$type} =
	87	join(':', $req_uri->host, $req_uri->_port);
eeefd598	88	}
eeefd598	89
61b31739	90	$c->config->{require_ssl}->{$type} =~ s/\/+$//;
	91
	92	my $redir = $c->req->uri->clone;
	93	$redir->scheme($type);
	94	$redir->host_port($c->config->{require_ssl}->{$type});
eeefd598	95
b0b7bb46	96	if ( $c->config->{require_ssl}->{no_cache} ) {
ffd9355f	97	delete $c->config->{require_ssl}->{$type};
	98	}
	99
eeefd598	100	return $redir;
	101	}
	102
	103	1;
	104	__END__
1763fe29	105
	106	=head1 NAME
	107
	108	Catalyst::Plugin::RequireSSL - Force SSL mode on select pages
	109
	110	=head1 SYNOPSIS
	111
eeefd598	112	# in MyApp.pm
6c86ea60	113	use Catalyst qw/
	114	RequireSSL
	115	/;
	116	__PACKAGE__->config(
	117	require_ssl => {
	118	https => 'secure.mydomain.com',
	119	http => 'www.mydomain.com',
	120	remain_in_ssl => 0,
	121	no_cache => 0,
	122	detach_on_redirect => 1,
	123	},
	124	);
	125	__PACKAGE__->setup;
	126
1763fe29	127
eeefd598	128	# in any controller methods that should be secured
1763fe29	129	$c->require_ssl;
	130
	131	=head1 DESCRIPTION
	132
eaea4c66	133	B<Note:> This module is considered to be deprecated for most purposes. Consider
	134	using L<Catalyst::ActionRole::RequireSSL> instead.
	135
eeefd598	136	Use this plugin if you wish to selectively force SSL mode on some of your web
eeefd598	137	pages, for example a user login form or shopping cart.
1763fe29	138
eeefd598	139	Simply place $c->require_ssl calls in any controller method you wish to be
eeefd598	140	secured.
1763fe29	141
eeefd598	142	This plugin will automatically disable itself if you are running under the
	143	standalone HTTP::Daemon Catalyst server. A warning message will be printed to
	144	the log file whenever an SSL redirect would have occurred.
1763fe29	145
	146	=head1 WARNINGS
	147
eeefd598	148	If you utilize different servers or hostnames for non-SSL and SSL requests,
	149	and you rely on a session cookie to determine redirection (i.e for a login
	150	page), your cookie must be visible to both servers. For more information, see
	151	the documentation for the Session plugin you are using.
1763fe29	152
	153	=head1 CONFIGURATION
	154
	155	Configuration is optional. You may define the following configuration values:
	156
	157	https => $ssl_host
	158
	159	If your SSL domain name is different from your non-SSL domain, set this value.
	160
	161	http => $non_ssl_host
	162
eeefd598	163	If you have set the https value above, you must also set the hostname of your
eeefd598	164	non-SSL server.
1763fe29	165
	166	remain_in_ssl
	167
eeefd598	168	If you'd like your users to remain in SSL mode after visiting an SSL-required
	169	page, you can set this option to 1. By default, this option is disabled and
	170	users will be redirected back to non-SSL mode as soon as possible.
1763fe29	171
ffd9355f	172	no_cache
11f9b043	173
11f9b043	174	If you have a wildcard certificate you will need to set this option if you are
51ef6cb3	175	using multiple domains on one instance of Catalyst.
11f9b043	176
794abe2a	177	detach_on_redirect
	178
	179	By default C<< $c->require_ssl >> only calls C<< $c->response->redirect >> but
	180	does not stop request processing (so it returns and subsequent statements are
	181	run). This is probably not what you want. If you set this option to a true
	182	value C<< $c->require_ssl >> will call C<< $c->detach >> when it redirects.
	183
eeefd598	184	=head1 METHODS
1763fe29	185
eeefd598	186	=head2 require_ssl
1763fe29	187
	188	Call require_ssl in any controller method you wish to be secured.
	189
	190	$c->require_ssl;
	191
eeefd598	192	The browser will be redirected to the same path on your SSL server. POST
eeefd598	193	requests are never redirected.
1763fe29	194
c4744895	195	=head2 allow_ssl
	196
	197	Call allow_ssl in any controller method you wish to access both in SSL and
	198	non-SSL mode.
	199
	200	$c->allow_ssl;
	201
	202	The browser will not be redirected, independently of whether the request was
	203	made to the SSL or non-SSL server.
	204
ffd9355f	205	=head2 setup
	206
	207	Disables this plugin if running under an engine which does not support SSL.
	208
	209	=head2 finalize
	210
	211	Performs the redirect to SSL url if required.
	212
1763fe29	213	=head1 KNOWN ISSUES
1763fe29	214
eeefd598	215	When viewing an SSL-required page that uses static files served from the
eeefd598	216	Static plugin, the static files are redirected to the non-SSL path.
1763fe29	217
eeefd598	218	In order to get the correct behaviour where static files are not redirected,
	219	you should use the Static::Simple plugin or always serve static files
	220	directly from your web server.
1763fe29	221
	222	=head1 SEE ALSO
	223
eaea4c66	224	L<Catalyst>, L<Catalyst::ActionRole::RequireSSL>,
eaea4c66	225	L<Catalyst::Plugin::Static::Simple>
1763fe29	226
	227	=head1 AUTHOR
	228
eeefd598	229	Andy Grundman, <andy@hybridized.org>
1763fe29	230
11f9b043	231	=head1 CONTRIBUTORS
	232
	233	Simon Elliott <simon@browsing.co.uk> (support for wildcards)
	234
1763fe29	235	=head1 COPYRIGHT
	236
	237	This program is free software, you can redistribute it and/or modify it under
	238	the same terms as Perl itself.
	239
	240	=cut