Add more validation, re-center the data setting

lib/TCMS.pm

@@ -203,6 +203,10 @@ sub _app {
         }
     }
 
+	# Set the 'data' in the query that the route specifically overrides, which we are also using for the catpured data
+	# This also means you have to validate both of them via parameters if you set that up.
+    @{$query}{ keys( %{ $routes{$path}{'data'} } ) } = values( %{ $routes{$path}{'data'} } ) if ref $routes{$path}{'data'} eq 'HASH' && %{ $routes{$path}{'data'} };
+
     # Ensure any short-circuit routes can log the request, and return the server-timing headers properly
     $query->{method}   = $method;
     $query->{route}    = $path;
@@ -306,9 +310,6 @@ sub _app {
     $query->{deflate}  = $deflate;
     $query->{user}     = $active_user;
 
-	# Set the 'data' in the query that the route specifically overrides
-    @{$query}{ keys( %{ $routes{$path}{'data'} } ) } = values( %{ $routes{$path}{'data'} } ) if ref $routes{$path}{'data'} eq 'HASH' && %{ $routes{$path}{'data'} };
-
     #Set various things we don't want overridden
     $query->{body}         = '';
     $query->{dnt}          = $env->{HTTP_DNT};

lib/Trog/Routes/JSON.pm

@@ -44,6 +44,9 @@ our %routes = (
         method     => 'GET',
         callback   => \&process_auth_change_request,
         captures   => ['token'],
+        parameters => {
+            token => sub { my $tok = shift; $tok =~ m/[a-f|0-9|-]+/; },
+        },
         noindex    => 1,
         robot_name => '/api/auth_change_request/*',
     },
@@ -111,9 +114,6 @@ sub process_auth_change_request ($query) {
 }
 
 sub requests_per($query) {
-    use Data::Dumper;
-    print Dumper($query);
-
     my $code = Trog::Utils::coerce_array($query->{code});
     return _render(
         200, undef,