securing Perl web services using token-based authentication and authorization

Hi, Today program is a simple authentication and authorization example using Mojolicious, a lightweight web framework for Perl. The program sets up a login route for users to authenticate with a username and password. If the credentials are correct, the server generates a token by concatenating the server's secret key and the current time. The token is then stored in a session and returned to the user. The token is later used to authorize access to protected routes under '/api'. When a user tries to access the example route, the server checks if the token stored in the session matches the token generated earlier. If the tokens match, the user is authorized to access the resource, and the server returns the example data in JSON format. If the tokens don't match, the server returns an error message and a 403 Forbidden status code.

When a user submits their username and password via a POST request to the '/api/login' endpoint, the server verifies the credentials. If the credentials are valid, the server generates a token by concatenating the secret key with the current time and sets the token in the user's session. The server then sends a JSON response containing the token.

To access the protected '/api/example' endpoint, the user must present a valid token. The server checks if the token stored in the user's session matches the token generated by concatenating the secret key with the current time. If the tokens match, the user is authorized to access the endpoint and the server sends back a JSON response containing the example data. If the tokens do not match, the server sends back a JSON response with an error status of 403 (Forbidden).

The application is started with the app->start function call at the end, and the secret key is set using the app->secrets function call.

 

use Mojolicious::Lite;

# Authentication
post '/api/login' => sub {
  my $c = shift;
  my $username = $c->param('username');
  my $password = $c->param('password');
  if ($username eq 'user' && $password eq 'pass') {
    my $token = $c->app->secrets->[0] . time();
    $c->session(token => $token);
    $c->render(json => { token => $token });
  } else {
    $c->render(json => { error => 'Unauthorized' }, status => 401);
  }
};

# Authorization
under '/api' => sub {
  my $c = shift;
  my $token = $c->session('token');
  if ($token ne $c->app->secrets->[0] . time()) {
    $c->render(json => { error => 'Forbidden' }, status => 403);
    return;
  }
};

# Example API route
get '/api/example' => sub {
  my $c = shift;
  $c->render(json => { example => 'data' });
};

app->secrets(['secretkey']);
app->start;

Above code uses token-based authentication, where the server generates a token that is sent to the client after successful login. The client then sends the token with every request to authenticate the user.

The post route /api/login checks the username and password sent by the client and generates a token if they are valid. The token is stored in the session and returned to the client as a JSON response.

The under route modifier /api checks the token sent by the client with every request. If the token is not valid (i.e., not equal to the token generated by the server), the server returns a 403 Forbidden error.

Finally, the example API route /api/example returns a simple JSON response.

Note that this code uses the secrets method to set a secret key for the application, which is used to generate and validate the token. The key should be kept secret and not shared with anyone.Thanks.