# We extract the jwt data, and do not verify it, which is very unsecure of course
# Best to use jwt_verify()
subjwt_extract
{
my$self= shift( @_);
my$token= shift( @_) || return( $self->error( "No json web token was provided to extract its data.") );
return( $self->error( "Token provided ($token) seems malformed. I was expecting 3 chunks of base64 data separated by dots") ) if( $token!~ /^([^\.]+)\.([^\.]+)\.([^\.]+)$/ );
return( $self->error( "JWT validation was requested using rsa keys, but could not find the property \"alg\" set to \"RS256\".") ) if( $header->{alg} !~ /^(RS|PS|ES)\d{3}$/i );
my$kid= $header->{kid};
# Check if kid value is in the rsa keys provided.
foreachmy$ref( @{$keys->{keys}} )
{
if( $ref->{kid} eq $kid)
{
$e= $ref->{e};
$n= $ref->{n};
last;
}
}
return( $self->error( "Unable to find a matching key for the one found in the token header ($kid) against the rsa keys provided.") ) if( !CORE::length( $e) || !CORE::length( $n) );
# Ok, we are very reasonably safe to call Crypt::JWT now
return( $self->error({ code=> 500, message=> "No routes set up to find the appropriate resource."}) ) if( !scalar( keys( %$routes) ) );
return( $self->reply( Apache2::Const::HTTP_NOT_ACCEPTABLE, { error=> "API version requested ($client_api_version) is not supported."} ) ) if( !CORE::exists( $routes->{ $client_api_version} ) );
my$req= $self->request;
my$resp= $self->response;
# Path variables like "/some/path/1234/more/thing/jack" where 1234 and jack are variables
# 2019-11-13: This is set by the caller of route()
# my $vars = $req->variables;
my$vars= {};
my$def_methods= $self->default_methods;
my$http_meth= lc( $req->method // '');
# Until proven otherwise; If it is set at a certain point of the path, and nowhere after, then the path below inherit its value set before like a toll gate
# path part has sub component, so we look for a key _handler in the sub hash
elsif( ref( $subroutes->{ $part} ) eq 'HASH')
{
my$ref= $subroutes->{ $part};
if( !exists( $ref->{_handler} ) &&
!exists( $ref->{_delete} ) &&
!exists( $ref->{_get} ) &&
!exists( $ref->{_head} ) &&
!exists( $ref->{_post} ) &&
!exists( $ref->{_put} ) )
{
return( $self->error({ code=> 500, message=> "Found an entry for path part \"$part\", which is a hash reference, but could not find a key \"_handler\", \"_delete\", \"_get\", \"_head\", \"_post\", or \"_put\" inside it."}) );
return( $self->error({ code=> 500, message=> "Unable to load class \"$cl\": $@"}) ) if( $@ );
# NOTE: 2021-09-05 (Jacques): See above same comment for the same issue, i.e. we only need to use the class name to check if the method exists, otherwise creating an instance of the object would have undesirable consequences under OPTIONS
my$code= $cl->can( $meth);
return( $self->error({ code=> 500, message=> "Class \"$cl\" does not have a method \"$meth\"."}) ) if( !$code);
return( $self->error({ code=> 500, message=> "Found a route for the path part \"${part}\" and HTTP method ${http_meth}, but the handler found is not a code reference."}) );
}
}
return( $check->( $pos+ 1, $ref) );
}
# Not a code or a hash reference, so it has got to be a package name
return( $self->error({ code=> 500, message=> "Unable to load class \"$cl\": ". $self->error }) ) if( !defined( $rc) );
# NOTE: 2021-09-05 (Jacques): This turned out to be a bad idea to check if a method exists in class, because by merely instantiating an object, it would trigger execution of code that is undesirable when running under OPTIONS, which only aims to check sanity and not actually run the query.
# As it turns out $cl->can( $meth ) works just as well.
# my $o = $cl->new(
# apache_request => $self->apache_request,
# debug => $self->debug,
# request => $req,
# response => $resp,
# # Pass the api object here as well
# api => $self,
# ) || return( $self->pass_error( $cl->error ) );
# my $code = $o->can( $meth );
my$code= $cl->can( $meth);
return( $self->error({ code=> 500, message=> "Class \"$cl\" does not have a method \"$meth\"."}) ) if( !$code);
return( $self->error({ code=> 500, message=> "Found an entry for path part \"$part\" ($subroutes->{ $part }), but I do not know what to do with it. If this was supposed to be a package, the syntax needs to be My::Package->my_sub"}) );
}
}
elsif( exists( $subroutes->{_var} ) )
{
my$ref= $subroutes->{_var};
return( $self->error({ code=> 500, message=> "Found a variable, and I was expecting a hash reference, but intsead got '$ref'."}) ) if( ref( $ref) ne 'HASH');
return( $self->error({ code=> 500, message=> "Found a variable, and I was expecting a key _name to be present in the definition hash reference, but could not find one."}) ) if( !exists( $ref->{_name} ) );
if( !exists( $ref->{_handler} ) &&
!exists( $ref->{_delete} ) &&
!exists( $ref->{_get} ) &&
!exists( $ref->{_head} ) &&
!exists( $ref->{_post} ) &&
!exists( $ref->{_put} ) )
{
return( $self->error({ code=> 500, message=> "Found a variable with name \"$ref->{_name}\" and was expecting a key _handler to be present in the definition hash reference, but could not find one."}) );
return( $self->error({ code=> 500, message=> "Unable to load class \"$cl\": $@"}) ) if( $@ );
# NOTE: 2021-09-05 (Jacques): See above same comment for the same issue, i.e. we only need to use the class name to check if the method exists, otherwise creating an instance of the object would have undesirable consequences under OPTIONS
# my $o = $cl->new(
# apache_request => $self->apache_request,
# debug => $self->debug,
# request => $req,
# response => $resp,
# # Pass the api object here as well
# api => $self,
# ) || return( $self->pass_error( $cl->error ) );
# my $code = $o->can( $meth );
my$code= $cl->can( $meth);
return( $self->error({ code=> 500, message=> "Class \"$cl\" does not have a method \"$meth\"."}) ) if( !$code);
return( $self->error({ code=> 500, message=> "Found a scalar \"${handler}\" to handle variable \"$var_name\", but I do not know what to do with it. If this was supposed to be a package, the syntax needs to be My::Package->my_sub"}) );
my$hash= shift( @_) || return( $self->error({ code=> 500, message=> "No route hash reference was provided."}) );
return( $self->error({ code=> 500, message=> "Routes provided ($hash) is not a hash reference."}) ) if( ref( $hash) ne 'HASH');
my$req= $self->request;
my$resp= $self->response;
# Walk through the hash to check everything is ok
# Returns nothing if all is ok, or self returns an error description
my$check;
$check= sub
{
my$this= shift( @_);
foreachmy$k( sort( keys( %$this) ) )
{
my$v= $this->{ $k};
if( ref( $v) eq 'HASH')
{
if( !CORE::exists( $v->{_handler} ) &&
!CORE::exists( $v->{_delete} ) &&
!CORE::exists( $v->{_get} ) &&
!CORE::exists( $v->{_head} ) &&
!CORE::exists( $v->{_post} ) &&
!CORE::exists( $v->{_put} ) )
{
return( "The keyword '_handlers' used is mispelled. It should be '_handler'") if( CORE::exists( $this->{_handlers} ) );
return( "No handler was specified for the end point \"$k\". I was expecting a key \"_handler\", \"_delete\", \"_get\", \"_head\", \"_post\", or \"_put\" to be present.");
}
if( my$err= $check->( $v) )
{
return( $err);
}
}
elsif( $keq '_name')
{
return( "Value provided for _name is empty.") if( !length( $v) );
return( "Value provided for _name is a reference, but I was expecting a scalar.") if( ref( $v) );
}
elsif( ref( $v) eq 'CODE')
{
# We're ok
}
elsif( $v=~ /^([^\:]+)\:{2}[^\:]+/ )
{
try
{
# my $cl = $subroutes->{ $part };
my$cl= $v;
my$meth;
if( $cl=~ /^([^\-]+)\-\>(\S+)$/ )
{
( $cl, $meth) = ( $1, $2 );
}
# require $cl unless( defined( *{"${cl}::"} ) );
my$rc= $self->_load_class( $cl);
return( $self->error({ code=> 500, message=> "Unable to load class \"$cl\": ". $self->error }) ) if( !defined( $rc) );
# 2021-09-06: We do not need to instantiate an object to check if the module 'can' a method, and also this would trigger code which could lead to undesired results, because the instantiated object does not know if this is an actual query and at this stage could be missing authentication tokens to work properly. Yes, I am talking out of experience here :)
#my $o = $cl->new(
# apache_request => $self->apache_request,
# debug => $self->debug,
# request => $req,
# response => $resp,
# # Pass the api object here as well
# api => $self,
# checkonly => 1
#) || return( $self->pass_error( $cl->error ) );
if( defined( $meth) )
{
return( "Class \"$cl\" does not have a method \"$meth\".") if( !$cl->can( $meth) );
$txt= sprintf( "$txt called from %s in package %s in file %s at line %d\n%s\n", $frame2->subroutine, $frame->package, $frame->filename, $frame->line, $trace->as_string );
return( $r->warn( $txt) ) if( $r);
return( CORE::warn( $txt) );
}
subwell_known
{
my$self= shift( @_);
return( Apache2::Const::DECLINED );
}
sub_try
{
my$self= shift( @_);
my$pack= shift( @_) || return( $self->error( "No Apache package name was provided to call method") );
my$meth= shift( @_) || return( $self->error( "No method name was provided to try!") );
my$r= Apache2::RequestUtil->request;
# $r->log_error( "Net::API::REST::_try to call method \"$meth\" in package \"$pack\"." );
try
{
return( $self->$pack->$meth) if( !scalar( @_) );
return( $self->$pack->$meth( @_) );
}
catch( $e)
{
return( $self->error( "An error occurred while trying to call Apache ", ucfirst( $pack), " method \"$meth\": $e") );
my $payload = $self->request->data || return( $self->reply({ code => Apache2::Const::HTTP_BAD_REQUEST, message => "No payload data received from the client." }) );
## Net::API::Stripe object
my $stripe = Net::API::Stripe->new(
# Enable debug to get debug data in http server log
Otherwise, it will send to the client the message as is.
=head2 base_path( path )
If in the Directory directive of the Apache Virtual Host, a C<Net_API_REST_Base> was set, this method will be set with this value.
=head2 compression_threshold( integer )
The number of bytes threshold beyond which, the B<reply> method will gzip compress the data returned to the client.
=head2 decode_base64( data )
Given some data, this will decode it using base64 algorithm. It uses L<APR::Base64::decode> in the background, because L<MIME::Decoder> may have some issue under mod_perl.
=head2 decode_json( data )
This decode from utf8 some data into a perl structure.
If an error occurs, it will return undef and set an exception that can be accessed with the B<error> method.
=head2 decode_uri( $string )
Provided with an uri encoded string, and this uses L<URI::Escape> to return its decoded form.
See also L</encode_uri>
=head2 decode_url( $string )
Given a url-encoded string, this returns the decoded string
This uses L<APR::Request> XS method.
=head2 decode_utf8( data )
Decode some data from ut8 into perl internal utf8 representation.
If an error occurs, it will return undef and set an exception that can be accessed with the B<error> method.
=head2 default_methods( [ qw( GET POST ... ) ] )
This sets or gets the default methods supported by an endpoint.
=head2 encode_base64( data )
Given some data, this will encode it using base64 algorithm. It uses L<APR::Base64::encode> in the background, because L<MIME::Decoder> may have some issue under mod_perl.
=head2 encode_json( hash reference )
Given a hash reference, this will encode it into a json data representation.
However, this will not utf8 encode it, because this is done upon printing the data and returning it to the client.
=head2 encode_uri( $string )
Provided with a string, and this uses L<URI::Escape> to return an uri encoded string.
See also L</decode_uri>
=head2 encode_url( $string )
Given a string, this returns its url-encoded version
This uses L<APR::Request> XS method.
=head2 encode_utf8( data )
This encode in ut8 the data provided and return it.
If an error occurs, it will return undef and set an exception that can be accessed with the B<error> method.
Get the localised version of the string passed as an argument.
This is supposed to be superseded by the package inheriting from L<Net::API::REST>
=head2 handler()
This is the main method called by Apache to handle the response. To make this work, in the Apache configuration, you must set the handler to your package and have your package inherit from L<Net::API::REST>. For example:
PerlResponseHandler MyPackage
When called by Apache, B<handler> will initiate a L<Net::API::REST::Request> object and a L<Net::API::REST::Response>
If the incoming request is an OPTIONS request such as a typical one issued during a javascript Ajax call, it will call the method B<http_options>() which will also set the cors policy by calling B<http_cors>()
Finally, it will try to find a route for the endpoint sought in the incoming query, and construct a L<Net::API::REST::Endpoint> object with the context information of the endpoint, including information such as variables that could exist in the path. For example:
/org/jp/llc/123/directors/42/profile
Here the llc property has an id 123 and the directors property has an id 42. Those two variables are stored in the L<Net::API::REST::Endpoint> object. This object can then be accessed with the method B<endpoint>
Having found a route, B<handler> calls the anonymous subroutine in charge of handling the endpoint.
If no route was found, B<handler> returns a C<400 Bad Request>.
If the endpoint handler returns undef(), B<handler> will return a C<500 Server Error>, otherwise it will pass the return value back to Apache. The return value should be an L<Apache2::Const> return code.
=head2 header_datetime( DateTime object )
Given a C<DateTime> object, this sets it to GMT time zone and set the proper formatter (L<Net::API::REST::DateTime>) so that the stringification is compliant with http headers standard.
=head2 http_cors()
Checks http request context and set the proper CORS http headers.
=head2 http_options()
If the request is an OPTIONS request, this method is called. It will do a C<pre-flight check> and look forward to see if the user has access to the resource sought and sets the response http headers accordingly.
=head2 init_headers( code reference )
If this is set, then L<Net::API::REST::handler> will call it.
=head2 is_allowed
Get or set handlers to check permission for various aspects of the api.
Each handler must return a valid HTTP Status code as an L<Apache2::Cons> value and if the returned code is an error, L<Net::API::REST> will stop right there and return it to Apache. See L<Net::API::REST::Status> for more information.
Currently supported handlers types are:
=over 4
=item I<access>
This is called in L</handler> and before it runs the code associated with the endpoint.
Note that this is equivalent to setting the value of L</supported_methods> to an array reference with values C<GET POST>, but provides you with more granularity and control.
=item I<network>
This is called very early in L</handler> and is designed to check if the user's ip is authorised to access the api.
The handler is called with the remote ip address as a string.
This could be a good opportunity to check for api abuse and throttling.
For example:
$self->is_allowed( network => sub
{
my $ip = shift( @_ );
if( $self->is_banned( $ip ) )
{
return( Apache2::Const::HTTP_FORBIDDEN );
}
elsif( $self->is_throttled( $ip ) )
{
return( Apache2::Const::HTTP_TOO_MANY_REQUESTS );
}
else
{
# returning Apache2::Const::OK would work too although it is not the same value
return( Apache2::Const::HTTP_OK );
}
});
=back
=head2 is_perl_option_enabled()
Checks if perl option is enabled in the Virtual Host and returns a boolean value
=head2 json()
Returns a JSON object.
=head2 jwt_accepted_algo( string )
Get or set the algorithm supported for the JWT tokens.
=head2 jwt_accepted_encoding( string )
Get or set the supported encoding for the JWT tokens.
=head2 jwt_algo( string )
The chosen algorithm to create JWT tokens
=head2 jwt_decode( token )
Given a JWT token, this will decode it and returns a hash reference
=head2 jwt_encode
Provided with an hash reference of parameters, and this will prepare the token data and call L<Net::API::REST::JWT/encode_jwt>
It accepts the following arguments and additional arguments recognised by L<Net::API::REST::JWT> can also be provided and will be passed to L<Net::API::REST::JWT/encode_jwt> directly.
It returns the encrypted token as a string or C<undef> if an error occurred which can be retrieved using the L<Module::Generic/error> method.
=over 4
=item * C<algo>
This will set the I<alg> property in the token.
=item * C<audience>
This will set the I<aud> property in the token payload.
=item * C<encoding>
This will set the I<enc> property in the token payload.
=item * C<encrypt>
If true, this will encrypt the token. When provided this will affect the I<algo>.
For example, when not encrypted, by default the algorithm used is C<HS256>, but when encryption is activated, the algorithm becomes C<PBES2-HS256+A128KW>
=item * C<expires>
This will set the I<exp> property in the token payload.
=item * C<issued_at>
This will set the I<iat> property in the token payload.
=item * C<issuer>
This will set the I<iss> property in the token payload.
=item * C<key>
This will set the I<key> property in the token payload.
=item * C<payload>
The hash data to become the token payload. It can contains discretionary elements.
=item * C<subject>
This will set the I<sub> property in the token payload.
=item * C<ttl>
If provided, this will set the I<exp> property to I<iat> + I<ttl>
=back
=head2 jwt_encoding
=head2 jwt_encrypt
=head2 jwt_extract
=head2 jwt_verify
=head2 jwt_verify_audience
=head2 key
=head2 lang( string )
Set or get the current language
=head2 lang_unix( string )
Given a language, this returns a language code formatted the unix way, ie en-GB would become en_GB
=head2 lang_web( string )
Given a language, this returns a language code formatted the web way, ie en_GB would become en-GB
=head2 log_error( string )
Given a string, this will log the data into the error log.
When log_error is accessed with the L<Apache2::RequestRec> the error gets logged into the Virtual Host log, but when log_error gets accessed via the L<Apache2::ServerUtil> object, the error get logged into the Apache main error log.
=head2 print( list )
print out the list of strings and returns the number of bytes sent.
Given an http code and a message, or just a hash reference, B<reply> will find out if the code provided is an error and format the replied json appropriately like:
The L<Net::API::REST> object will be passed as the first and only argument to the callback routine.
=head2 request()
Returns the L<Net::API::REST::Request> object. This object is set early during the instantiation in the B<handler> method.
=head2 response
Returns the L<Net::API::REST::Response> object. This object is set early during the instantiation in the B<handler> method.
=head2 route( URI object )
Given an uri, this will find the route for the endpoint sought and return and L<Net::API::REST::Endpoint> object.
If nothing found, it will return an empty string.
If there was an error, it will return C<undef> and set an error object that can be retrieved with the inherited L<Module::Generic/error> method. The error object will also contain a C<code> attribute which will represent an http status code.
L</route> is called from L</handler> to get the endpoint object and related handler, then calls the handler after performing a number of operations. See L</handler> for more information.
Otherwise, a L<Net::API::REST::Endpoint> is returned.
=head2 routes( hash reference )
This sets the routes for all the endpoints proposed by the RESTful server
=head2 server()
Returns a L<Apache2::Server> object
=head2 server_version()
Tries hard to find out the version number of the Apache server.
=head2 set_handlers()
=head2 supported_api_versions( array reference )
Get or set the list of supported api versions
=head2 supported_languages( array reference )
Get or set the list of supported language codes, such as fr_FR, en_GB, ja_JP, zh_TW, etc
=head2 supported_methods( array reference )
Get or set the list of supported http methods.
=head2 warn( list )
Given a list of string, this sends a warning.
=head2 well_known()
If the http request is for /.well-know, then we simply decline to process it.
This does not mean it won't get processed, but just that we pass and let Apache handle it directly.
=head2 _try( object type, method name, @_ )
Given an object type, a method name and optional parameters, this attempts to call it.
Apache2 methods are designed to die upon error, whereas our model is based on returning C<undef> and setting an exception with L<Module::Generic::Exception>, because we believe that only the main program should be in control of the flow and decide whether to interrupt abruptly the execution, not some sub routines.
=head1 Net::API::REST::Endpoint methods
=head2 access()
This specifies the level of access: private or restricted
=head2 handler()
Returns the handler found to handle the endpoint
=head2 is_method_allowed()
Returns a boolean on whether the given method is allowed.
=head2 methods()
Returns an array reference of the methods allowed for this endpoint.
=head2 path_info()
Returns a string for this path info, if any.
=head2 supported_content_types
Sets or gets an array of supported content types
=head2 variables()
Returns a hash reference of name => value pairs for the variables found in the endpoint sought by in the http request. For example:
/org/jp/llc/12/directors/23/profile
In this case, llc has an id value of 12 and the director an id value of 23. They will be recorded as variables as instructed by the route map set by the package using L<Net::API::REST>