Security Advisories (2)
CVE-2026-11832 (2026-06-15)

Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.

CVE-2026-12746 (2026-07-04)

Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter. The authentication_url method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting token into the session without verifying that the callback corresponds to an authorization request this session initiated. Any application that uses this plugin for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.

NAME

Dancer2::Plugin::Auth::OAuth - OAuth for your Dancer2 app

SYNOPSIS

# just 'use' the plugin, that's all.
use Dancer2::Plugin::Auth::OAuth;

DESCRIPTION

Dancer2::Plugin::Auth::OAuth is a Dancer2 plugin which tries to make OAuth authentication easy.

The module is highly influenced by Plack::Middleware::OAuth and Dancer 1 OAuth modules, but unlike the Dancer 1 versions, this plugin only needs configuration (look mom, no code needed!). It automatically sets up the needed routes (defaults to /auth/$provider and /auth/$provider/callback). So if you define the Twitter provider in your config, you should automatically get /auth/twitter and /auth/twitter/callback.

After a successful OAuth dance, the user info is stored in the session. What you do with it afterwards is up to you.

CONFIGURATION

The plugin comes with support for Facebook, Google and Twitter (other providers aren't hard to add, send me a pull request when you add more!)

All it takes to use OAuth authentication for a given provider, is to add the configuration for it.

The YAML below shows all available options.

plugins:
  "Auth::OAuth":
    prefix: /auth [*]
    success_url: / [*]
    error_url: / [*]
    providers:
      Facebook:
        tokens:
          client_id: your_client_id
          client_secret: your_client_secret
      Google:
        tokens:
          client_id: your_client_id
          client_secret: your_client_secret
      Twitter:
        tokens:
          consumer_key: your_consumer_token
          consumer_secret: your_consumer_secret

[*] default value, may be omitted.

AUTHOR

Menno Blom <blom@cpan.org>

COPYRIGHT

Copyright 2014- Menno Blom

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.