NAME

PAGI::Middleware::MethodOverride - Override HTTP method from request data

SYNOPSIS

use PAGI::Middleware::Builder;

my $app = builder {
    enable 'MethodOverride',
        param => '_method',
        allowed_methods => [qw(PUT PATCH DELETE)];
    $my_app;
};

DESCRIPTION

PAGI::Middleware::MethodOverride allows overriding the HTTP method using a form field, query parameter, or header. This enables HTML forms (which only support GET and POST) to submit PUT, PATCH, and DELETE requests.

CONFIGURATION

• param (default: '_method')

  Form field or query parameter name for method override.

• header (default: 'X-HTTP-Method-Override')

  HTTP header name for method override.

• allowed_methods (default: [PUT, PATCH, DELETE])

  Methods that can be overridden to. GET and POST are not allowed for security reasons.

• check_header (default: 1)

  Check the X-HTTP-Method-Override header.

• check_param (default: 1)

  Check the _method query/form parameter.

HOW IT WORKS

When a POST request is received:

1. Check X-HTTP-Method-Override header (if enabled)

2. Check _method query parameter (if enabled)

3. If found and method is allowed, override scope->{method}

4. Original method preserved in scope->{original_method}

SECURITY NOTES

• Only POST requests can be overridden

  GET requests cannot be overridden as they should be safe and idempotent.

• Only specific methods allowed

  By default only PUT, PATCH, DELETE are allowed. GET and POST are never allowed as override targets.

• Header takes precedence

  The X-HTTP-Method-Override header is checked before query parameters, as it's harder to inject via CSRF attacks.

HTML FORM USAGE

<form method="POST" action="/resource/123">
    <input type="hidden" name="_method" value="DELETE">
    <button type="submit">Delete</button>
</form>

AJAX USAGE

fetch('/resource/123', {
    method: 'POST',
    headers: {
        'X-HTTP-Method-Override': 'DELETE'
    }
});

SEE ALSO

PAGI::Middleware - Base class for middleware