[catagits/Catalyst-Plugin-RequireSSL.git] / lib / Catalyst / Plugin / RequireSSL.pm

package Catalyst::Plugin::RequireSSL;

use strict;
use base qw/Class::Accessor::Fast/;
use NEXT;

our $VERSION = '0.07';

__PACKAGE__->mk_accessors( qw/_require_ssl _ssl_strip_output/ );

sub require_ssl {
    my $c = shift;

    $c->_require_ssl(1);

    if ( !$c->req->secure && $c->req->method ne "POST" ) {
        my $redir = $c->_redirect_uri('https');
        if ( $c->config->{require_ssl}->{disabled} ) {
            $c->log->warn( "RequireSSL: Would have redirected to $redir" );
        }
        else {
            $c->_ssl_strip_output(1);
            $c->res->redirect( $redir );
        }
    }
}

sub finalize {
    my $c = shift;
    
    # Do not redirect static files (only works with Static::Simple)
    if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) {
        return $c->NEXT::finalize(@_) if $c->_static_file;
    }
    
    # redirect back to non-SSL mode
    REDIRECT:
    {
        # No redirect if:
        # we're not in SSL mode
        last REDIRECT if !$c->req->secure;
        # it's a POST request
        last REDIRECT if $c->req->method eq "POST";
        # we're already required to be in SSL for this request
        last REDIRECT if $c->_require_ssl;
        # or the user doesn't want us to redirect
        last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl};
        
        $c->res->redirect( $c->_redirect_uri('http') );
    }

    # do not allow any output to be displayed on the insecure page
    if ( $c->_ssl_strip_output ) {
        $c->res->body( '' );
    }

    return $c->NEXT::finalize(@_);
}

sub setup {
    my $c = shift;

    $c->NEXT::setup(@_);

    # disable the plugin when running under certain engines which don't
    # support SSL
    if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) {
        $c->config->{require_ssl}->{disabled} = 1;
        $c->log->warn( "RequireSSL: Disabling SSL redirection while running "
                     . "under " . $c->engine );
    }
}

sub _redirect_uri {
    my ( $c, $type ) = @_;

    # XXX: Cat needs a $c->req->host method...
    # until then, strip off the leading protocol from base
    if ( !$c->config->{require_ssl}->{$type} ) {
        my $host = $c->req->base;
        $host =~ s/^http(s?):\/\///;
        $c->config->{require_ssl}->{$type} = $host;
    }

    if ( $c->config->{require_ssl}->{$type} !~ /\/$/xms ) {
        $c->config->{require_ssl}->{$type} .= '/';
    }

    my $redir
        = $type . '://' . $c->config->{require_ssl}->{$type} . $c->req->path;
        
    if ( scalar $c->req->param ) {
        my @params;
        foreach my $arg ( sort keys %{ $c->req->params } ) {
            if ( ref $c->req->params->{$arg} ) {
                my $list = $c->req->params->{$arg};
                push @params, map { "$arg=" . $_  } sort @{$list};
            }
            else {
                push @params, "$arg=" . $c->req->params->{$arg};
            }
        }
        $redir .= '?' . join( '&', @params );
    }  
          
    if ( $c->config->{require_ssl}->{no_cache} ) {        
        delete $c->config->{require_ssl}->{$type};
    }
    
    return $redir;
}

1;
__END__

=head1 NAME

Catalyst::Plugin::RequireSSL - Force SSL mode on select pages

=head1 SYNOPSIS

    # in MyApp.pm
    use Catalyst;
    MyApp->setup( qw/RequireSSL/ );
    
    MyApp->config->{require_ssl} = {
        https => 'secure.mydomain.com',
        http => 'www.mydomain.com',
        remain_in_ssl => 0,
        no_cache => 0,
    };

    # in any controller methods that should be secured
    $c->require_ssl;

=head1 DESCRIPTION

Use this plugin if you wish to selectively force SSL mode on some of your web
pages, for example a user login form or shopping cart.

Simply place $c->require_ssl calls in any controller method you wish to be
secured. 

This plugin will automatically disable itself if you are running under the
standalone HTTP::Daemon Catalyst server.  A warning message will be printed to
the log file whenever an SSL redirect would have occurred.

=head1 WARNINGS

If you utilize different servers or hostnames for non-SSL and SSL requests,
and you rely on a session cookie to determine redirection (i.e for a login
page), your cookie must be visible to both servers.  For more information, see
the documentation for the Session plugin you are using.

=head1 CONFIGURATION

Configuration is optional.  You may define the following configuration values:

    https => $ssl_host
    
If your SSL domain name is different from your non-SSL domain, set this value.

    http => $non_ssl_host
    
If you have set the https value above, you must also set the hostname of your
non-SSL server.

    remain_in_ssl
    
If you'd like your users to remain in SSL mode after visiting an SSL-required
page, you can set this option to 1.  By default, this option is disabled and
users will be redirected back to non-SSL mode as soon as possible.

    no_cache 

If you have a wildcard certificate you will need to set this option if you are
using multiple domains on one instance of Catalyst.

=head1 METHODS

=head2 require_ssl

Call require_ssl in any controller method you wish to be secured.

    $c->require_ssl;

The browser will be redirected to the same path on your SSL server.  POST
requests are never redirected.

=head2 setup

Disables this plugin if running under an engine which does not support SSL.

=head2 finalize

Performs the redirect to SSL url if required.

=head1 KNOWN ISSUES

When viewing an SSL-required page that uses static files served from the
Static plugin, the static files are redirected to the non-SSL path.

In order to get the correct behaviour where static files are not redirected,
you should use the Static::Simple plugin or always serve static files
directly from your web server.

=head1 SEE ALSO

L<Catalyst>, L<Catalyst::Plugin::Static::Simple>

=head1 AUTHOR

Andy Grundman, <andy@hybridized.org>

=head1 CONTRIBUTORS

Simon Elliott <simon@browsing.co.uk> (support for wildcards)

=head1 COPYRIGHT

This program is free software, you can redistribute it and/or modify it under
the same terms as Perl itself.

=cut
Commit	Line	Data
1763fe29	1	package Catalyst::Plugin::RequireSSL;
	2
	3	use strict;
	4	use base qw/Class::Accessor::Fast/;
	5	use NEXT;
	6
ffd9355f	7	our $VERSION = '0.07';
1763fe29	8
4585dfb1	9	__PACKAGE__->mk_accessors( qw/_require_ssl _ssl_strip_output/ );
eeefd598	10
	11	sub require_ssl {
	12	my $c = shift;
	13
	14	$c->_require_ssl(1);
	15
	16	if ( !$c->req->secure && $c->req->method ne "POST" ) {
	17	my $redir = $c->_redirect_uri('https');
	18	if ( $c->config->{require_ssl}->{disabled} ) {
	19	$c->log->warn( "RequireSSL: Would have redirected to $redir" );
	20	}
	21	else {
4585dfb1	22	$c->_ssl_strip_output(1);
eeefd598	23	$c->res->redirect( $redir );
	24	}
	25	}
	26	}
	27
	28	sub finalize {
	29	my $c = shift;
	30
	31	# Do not redirect static files (only works with Static::Simple)
	32	if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) {
	33	return $c->NEXT::finalize(@_) if $c->_static_file;
	34	}
	35
	36	# redirect back to non-SSL mode
	37	REDIRECT:
	38	{
	39	# No redirect if:
	40	# we're not in SSL mode
	41	last REDIRECT if !$c->req->secure;
	42	# it's a POST request
	43	last REDIRECT if $c->req->method eq "POST";
	44	# we're already required to be in SSL for this request
	45	last REDIRECT if $c->_require_ssl;
	46	# or the user doesn't want us to redirect
	47	last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl};
	48
	49	$c->res->redirect( $c->_redirect_uri('http') );
	50	}
	51
4585dfb1	52	# do not allow any output to be displayed on the insecure page
4585dfb1	53	if ( $c->_ssl_strip_output ) {
cc4f2717	54	$c->res->body( '' );
4585dfb1	55	}
4585dfb1	56
eeefd598	57	return $c->NEXT::finalize(@_);
	58	}
	59
	60	sub setup {
	61	my $c = shift;
	62
	63	$c->NEXT::setup(@_);
	64
	65	# disable the plugin when running under certain engines which don't
	66	# support SSL
cae2ad7f	67	if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) {
eeefd598	68	$c->config->{require_ssl}->{disabled} = 1;
	69	$c->log->warn( "RequireSSL: Disabling SSL redirection while running "
	70	. "under " . $c->engine );
	71	}
	72	}
	73
	74	sub _redirect_uri {
	75	my ( $c, $type ) = @_;
	76
	77	# XXX: Cat needs a $c->req->host method...
	78	# until then, strip off the leading protocol from base
	79	if ( !$c->config->{require_ssl}->{$type} ) {
	80	my $host = $c->req->base;
	81	$host =~ s/^http(s?):\/\///;
	82	$c->config->{require_ssl}->{$type} = $host;
	83	}
	84
	85	if ( $c->config->{require_ssl}->{$type} !~ /\/$/xms ) {
	86	$c->config->{require_ssl}->{$type} .= '/';
	87	}
	88
	89	my $redir
	90	= $type . '://' . $c->config->{require_ssl}->{$type} . $c->req->path;
4585dfb1	91
eeefd598	92	if ( scalar $c->req->param ) {
4585dfb1	93	my @params;
	94	foreach my $arg ( sort keys %{ $c->req->params } ) {
	95	if ( ref $c->req->params->{$arg} ) {
	96	my $list = $c->req->params->{$arg};
	97	push @params, map { "$arg=" . $_ } sort @{$list};
	98	}
	99	else {
	100	push @params, "$arg=" . $c->req->params->{$arg};
	101	}
	102	}
	103	$redir .= '?' . join( '&', @params );
51ef6cb3	104	}
51ef6cb3	105
b0b7bb46	106	if ( $c->config->{require_ssl}->{no_cache} ) {
ffd9355f	107	delete $c->config->{require_ssl}->{$type};
	108	}
	109
eeefd598	110	return $redir;
	111	}
	112
	113	1;
	114	__END__
1763fe29	115
	116	=head1 NAME
	117
	118	Catalyst::Plugin::RequireSSL - Force SSL mode on select pages
	119
	120	=head1 SYNOPSIS
	121
eeefd598	122	# in MyApp.pm
	123	use Catalyst;
	124	MyApp->setup( qw/RequireSSL/ );
1763fe29	125
	126	MyApp->config->{require_ssl} = {
	127	https => 'secure.mydomain.com',
	128	http => 'www.mydomain.com',
	129	remain_in_ssl => 0,
ffd9355f	130	no_cache => 0,
1763fe29	131	};
1763fe29	132
eeefd598	133	# in any controller methods that should be secured
1763fe29	134	$c->require_ssl;
	135
	136	=head1 DESCRIPTION
	137
eeefd598	138	Use this plugin if you wish to selectively force SSL mode on some of your web
eeefd598	139	pages, for example a user login form or shopping cart.
1763fe29	140
eeefd598	141	Simply place $c->require_ssl calls in any controller method you wish to be
eeefd598	142	secured.
1763fe29	143
eeefd598	144	This plugin will automatically disable itself if you are running under the
	145	standalone HTTP::Daemon Catalyst server. A warning message will be printed to
	146	the log file whenever an SSL redirect would have occurred.
1763fe29	147
	148	=head1 WARNINGS
	149
eeefd598	150	If you utilize different servers or hostnames for non-SSL and SSL requests,
	151	and you rely on a session cookie to determine redirection (i.e for a login
	152	page), your cookie must be visible to both servers. For more information, see
	153	the documentation for the Session plugin you are using.
1763fe29	154
	155	=head1 CONFIGURATION
	156
	157	Configuration is optional. You may define the following configuration values:
	158
	159	https => $ssl_host
	160
	161	If your SSL domain name is different from your non-SSL domain, set this value.
	162
	163	http => $non_ssl_host
	164
eeefd598	165	If you have set the https value above, you must also set the hostname of your
eeefd598	166	non-SSL server.
1763fe29	167
	168	remain_in_ssl
	169
eeefd598	170	If you'd like your users to remain in SSL mode after visiting an SSL-required
	171	page, you can set this option to 1. By default, this option is disabled and
	172	users will be redirected back to non-SSL mode as soon as possible.
1763fe29	173
ffd9355f	174	no_cache
11f9b043	175
11f9b043	176	If you have a wildcard certificate you will need to set this option if you are
51ef6cb3	177	using multiple domains on one instance of Catalyst.
11f9b043	178
eeefd598	179	=head1 METHODS
1763fe29	180
eeefd598	181	=head2 require_ssl
1763fe29	182
	183	Call require_ssl in any controller method you wish to be secured.
	184
	185	$c->require_ssl;
	186
eeefd598	187	The browser will be redirected to the same path on your SSL server. POST
eeefd598	188	requests are never redirected.
1763fe29	189
ffd9355f	190	=head2 setup
	191
	192	Disables this plugin if running under an engine which does not support SSL.
	193
	194	=head2 finalize
	195
	196	Performs the redirect to SSL url if required.
	197
1763fe29	198	=head1 KNOWN ISSUES
1763fe29	199
eeefd598	200	When viewing an SSL-required page that uses static files served from the
eeefd598	201	Static plugin, the static files are redirected to the non-SSL path.
1763fe29	202
eeefd598	203	In order to get the correct behaviour where static files are not redirected,
	204	you should use the Static::Simple plugin or always serve static files
	205	directly from your web server.
1763fe29	206
	207	=head1 SEE ALSO
	208
eeefd598	209	L<Catalyst>, L<Catalyst::Plugin::Static::Simple>
1763fe29	210
	211	=head1 AUTHOR
	212
eeefd598	213	Andy Grundman, <andy@hybridized.org>
1763fe29	214
11f9b043	215	=head1 CONTRIBUTORS
	216
	217	Simon Elliott <simon@browsing.co.uk> (support for wildcards)
	218
1763fe29	219	=head1 COPYRIGHT
	220
	221	This program is free software, you can redistribute it and/or modify it under
	222	the same terms as Perl itself.
	223
	224	=cut