added support for the X-CSRF-Token request header

mojolicious · Dec 4, 2013 · 490e48b · 490e48b
1 parent 71738ba
commit 490e48b
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/lib/Mojolicious/Controller.pm b/lib/Mojolicious/Controller.pm
@@ -416,11 +416,14 @@ sub url_for {
 }
 
 sub validation {
-  my $self  = shift;
-  my $token = $self->session->{csrf_token};
+  my $self = shift;
+
+  my $req  = $self->req;
+  my $hash = $req->params->to_hash;
+  $hash->{csrf_token} //= $req->headers->header('X-CSRF-Token')
+    if my $token = $self->session->{csrf_token};
   return $self->stash->{'mojo.validation'}
-    ||= $self->app->validator->validation->input($self->req->params->to_hash)
-    ->csrf_token($token);
+    ||= $self->app->validator->validation->input($hash)->csrf_token($token);
 }
 
 sub write {

diff --git a/lib/Mojolicious/Guides/Rendering.pod b/lib/Mojolicious/Guides/Rendering.pod
@@ -784,6 +784,8 @@ validate it with L<Mojolicious::Validator::Validation/"csrf_protect">.
     </body>
   </html>
 
+The token can also be submitted with the C<X-CSRF-Token> request header.
+
 =head2 Adding helpers
 
 Adding and redefining helpers is very easy, you can use them to do pretty much

diff --git a/t/mojolicious/validation_lite_app.t b/t/mojolicious/validation_lite_app.t
@@ -184,6 +184,15 @@ $t->post_ok('/forgery' => form => {csrf_token => $token, foo => 'bar'})
   ->status_is(200)->content_unlike(qr/Wrong or missing CSRF token!/)
   ->element_exists('[value=bar]');
 
+# Correct CSRF token (header)
+$t->post_ok('/forgery' => {'X-CSRF-Token' => $token} => form => {foo => 'bar'})
+  ->status_is(200)->content_unlike(qr/Wrong or missing CSRF token!/)
+  ->element_exists('[value=bar]');
+
+# Wrong CSRF token (header)
+$t->post_ok('/forgery' => {'X-CSRF-Token' => 'abc'} => form => {foo => 'bar'})
+  ->status_is(200)->content_like(qr/Wrong or missing CSRF token!/);
+
 # Missing CSRF token again
 $t->post_ok('/forgery' => form => {foo => 'bar'})->status_is(200)
   ->content_like(qr/Wrong or missing CSRF token!/);