[catagits/Catalyst-Plugin-Authentication.git] / lib / Catalyst / Authentication / Credential / Password.pm

package Catalyst::Authentication::Credential::Password;

use strict;
use warnings;

use base qw/Class::Accessor::Fast/;

use Scalar::Util        ();
use Catalyst::Exception ();
use Digest              ();

__PACKAGE__->mk_accessors(qw/_config realm/);

sub new {
    my ($class, $config, $app, $realm) = @_;

    # Note _config is horrible back compat hackery!
    my $self = { _config => $config };
    bless $self, $class;
    
    $self->realm($realm);
    
    $self->_config->{'password_field'} ||= 'password';
    $self->_config->{'password_type'}  ||= 'clear';
    $self->_config->{'password_hash_type'} ||= 'SHA-1';
    
    my $passwordtype = $self->_config->{'password_type'};
    if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
        Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
    }
    return $self;
}

sub authenticate {
    my ( $self, $c, $realm, $authinfo ) = @_;

    ## because passwords may be in a hashed format, we have to make sure that we remove the 
    ## password_field before we pass it to the user routine, as some auth modules use 
    ## all data passed to them to find a matching user... 
    my $userfindauthinfo = {%{$authinfo}};
    delete($userfindauthinfo->{$self->_config->{'password_field'}});
    
    my $user_obj = $realm->find_user($userfindauthinfo, $c);
    if (ref($user_obj)) {
        if ($self->check_password($user_obj, $authinfo)) {
            return $user_obj;
        }
    } else {
        $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
        return;
    }
}

sub check_password {
    my ( $self, $user, $authinfo ) = @_;
    
    if ($self->_config->{'password_type'} eq 'self_check') {
        return $user->check_password($authinfo->{$self->_config->{'password_field'}});
    } else {
        my $password = $authinfo->{$self->_config->{'password_field'}};
        my $storedpassword = $user->get($self->_config->{'password_field'});
        
        if ($self->_config->{'password_type'} eq 'none') {
            return 1;
        } elsif ($self->_config->{'password_type'} eq 'clear') {
            # FIXME - Should we warn in the $storedpassword undef case, 
            #         as the user probably fluffed the config?
            return unless defined $storedpassword;
            return $password eq $storedpassword;
        } elsif ($self->_config->{'password_type'} eq 'crypted') {            
            return $storedpassword eq crypt( $password, $storedpassword );
        } elsif ($self->_config->{'password_type'} eq 'salted_hash') {
            require Crypt::SaltedHash;
            my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
            return Crypt::SaltedHash->validate( $storedpassword, $password,
                $salt_len );
        } elsif ($self->_config->{'password_type'} eq 'hashed') {

             my $d = Digest->new( $self->_config->{'password_hash_type'} );
             $d->add( $self->_config->{'password_pre_salt'} || '' );
             $d->add($password);
             $d->add( $self->_config->{'password_post_salt'} || '' );

             my $computed    = $d->clone()->digest;
             my $b64computed = $d->clone()->b64digest;
             return ( ( $computed eq $storedpassword )
                   || ( unpack( "H*", $computed ) eq $storedpassword )
                   || ( $b64computed eq $storedpassword)
                   || ( $b64computed.'=' eq $storedpassword) );
        }
    }
}

__PACKAGE__;

__END__

=pod

=head1 NAME

Catalyst::Authentication::Credential::Password - Authenticate a user
with a password.

=head1 SYNOPSIS

    use Catalyst qw/
      Authentication
      /;

    package MyApp::Controller::Auth;

    sub login : Local {
        my ( $self, $c ) = @_;

        $c->authenticate( { username => $c->req->param('username'),
                            password => $c->req->param('password') });
    }

=head1 DESCRIPTION

This authentication credential checker takes authentication information
(most often a username) and a password, and attempts to validate the password
provided against the user retrieved from the store.

=head1 CONFIGURATION

    # example
    __PACKAGE__->config('Plugin::Authentication' => 
                {  
                    default_realm => 'members',
                    realms => {
                        members => {
                            
                            credential => {
                                class => 'Password',
                                password_field => 'password',
                                password_type => 'hashed',
                                password_hash_type => 'SHA-1'                                
                            },    
                            ...


The password module is capable of working with several different password
encryption/hashing algorithms. The one the module uses is determined by the
credential configuration.

Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
should note that the password field and type information is no longer part
of the store configuration and is now part of the Password credential configuration.

=over 4 

=item class 

The classname used for Credential. This is part of
L<Catalyst::Plugin::Authentication> and is the method by which
Catalyst::Authentication::Credential::Password is loaded as the
credential validator. For this module to be used, this must be set to
'Password'.

=item password_field

The field in the user object that contains the password. This will vary
depending on the storage class used, but is most likely something like
'password'. In fact, this is so common that if this is left out of the config,
it defaults to 'password'. This field is obtained from the user object using
the get() method. Essentially: $user->get('passwordfieldname'); 
B<NOTE> If the password_field is something other than 'password', you must 
be sure to use that same field name when calling $c->authenticate(). 

=item password_type 

This sets the password type.  Often passwords are stored in crypted or hashed
formats.  In order for the password module to verify the plaintext password 
passed in, it must be told what format the password will be in when it is retreived
from the user object. The supported options are:

=over 8

=item none

No password check is done. An attempt is made to retrieve the user based on
the information provided in the $c->authenticate() call. If a user is found, 
authentication is considered to be successful.

=item clear

The password in user is in clear text and will be compared directly.

=item self_check

This option indicates that the password should be passed to the check_password()
routine on the user object returned from the store.  

=item crypted

The password in user is in UNIX crypt hashed format.  

=item salted_hash

The password in user is in salted hash format, and will be validated
using L<Crypt::SaltedHash>.  If this password type is selected, you should
also provide the B<password_salt_len> config element to define the salt length.

=item hashed

If the user object supports hashed passwords, they will be used in conjunction
with L<Digest>. The following config elements affect the hashed configuration:

=over 8

=item password_hash_type 

The hash type used, passed directly to L<Digest/new>.  

=item password_pre_salt 

Any pre-salt data to be passed to L<Digest/add> before processing the password.

=item password_post_salt

Any post-salt data to be passed to L<Digest/add> after processing the password.

=back

=back

=back

=head1 USAGE

The Password credential module is very simple to use. Once configured as
indicated above, authenticating using this module is simply a matter of
calling $c->authenticate() with an authinfo hashref that includes the
B<password> element. The password element should contain the password supplied
by the user to be authenticated, in clear text. The other information supplied
in the auth hash is ignored by the Password module, and simply passed to the
auth store to be used to retrieve the user. An example call follows:

    if ($c->authenticate({ username => $username,
                           password => $password} )) {
        # authentication successful
    } else {
        # authentication failed
    }

=head1 METHODS

There are no publicly exported routines in the Password module (or indeed in
most credential modules.)  However, below is a description of the routines 
required by L<Catalyst::Plugin::Authentication> for all credential modules.

=head2 new( $config, $app, $realm )

Instantiate a new Password object using the configuration hash provided in
$config. A reference to the application is provided as the second argument.
Note to credential module authors: new() is called during the application's
plugin setup phase, which is before the application specific controllers are
loaded. The practical upshot of this is that things like $c->model(...) will
not function as expected.

=head2 authenticate( $authinfo, $c )

Try to log a user in, receives a hashref containing authentication information
as the first argument, and the current context as the second.

=head2 check_password( )

=cut
Commit	Line	Data
5c5af345	1	package Catalyst::Authentication::Credential::Password;
	2
	3	use strict;
	4	use warnings;
	5
	6	use base qw/Class::Accessor::Fast/;
	7
	8	use Scalar::Util ();
	9	use Catalyst::Exception ();
	10	use Digest ();
	11
6c9482fe	12	__PACKAGE__->mk_accessors(qw/_config realm/);
5c5af345	13
	14	sub new {
	15	my ($class, $config, $app, $realm) = @_;
2c49ad4e	16
2c49ad4e	17	# Note _config is horrible back compat hackery!
106913db	18	my $self = { _config => $config };
5c5af345	19	bless $self, $class;
	20
	21	$self->realm($realm);
	22
106913db	23	$self->_config->{'password_field'} \|\|= 'password';
	24	$self->_config->{'password_type'} \|\|= 'clear';
	25	$self->_config->{'password_hash_type'} \|\|= 'SHA-1';
5c5af345	26
106913db	27	my $passwordtype = $self->_config->{'password_type'};
5c5af345	28	if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
106913db	29	Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
5c5af345	30	}
	31	return $self;
	32	}
	33
	34	sub authenticate {
	35	my ( $self, $c, $realm, $authinfo ) = @_;
	36
	37	## because passwords may be in a hashed format, we have to make sure that we remove the
	38	## password_field before we pass it to the user routine, as some auth modules use
	39	## all data passed to them to find a matching user...
	40	my $userfindauthinfo = {%{$authinfo}};
106913db	41	delete($userfindauthinfo->{$self->_config->{'password_field'}});
5c5af345	42
	43	my $user_obj = $realm->find_user($userfindauthinfo, $c);
	44	if (ref($user_obj)) {
	45	if ($self->check_password($user_obj, $authinfo)) {
	46	return $user_obj;
	47	}
	48	} else {
	49	$c->log->debug("Unable to locate user matching user info provided") if $c->debug;
	50	return;
	51	}
	52	}
	53
	54	sub check_password {
	55	my ( $self, $user, $authinfo ) = @_;
	56
106913db	57	if ($self->_config->{'password_type'} eq 'self_check') {
106913db	58	return $user->check_password($authinfo->{$self->_config->{'password_field'}});
5c5af345	59	} else {
106913db	60	my $password = $authinfo->{$self->_config->{'password_field'}};
106913db	61	my $storedpassword = $user->get($self->_config->{'password_field'});
5c5af345	62
106913db	63	if ($self->_config->{'password_type'} eq 'none') {
5c5af345	64	return 1;
106913db	65	} elsif ($self->_config->{'password_type'} eq 'clear') {
1ae2143a	66	# FIXME - Should we warn in the $storedpassword undef case,
	67	# as the user probably fluffed the config?
	68	return unless defined $storedpassword;
5c5af345	69	return $password eq $storedpassword;
106913db	70	} elsif ($self->_config->{'password_type'} eq 'crypted') {
5c5af345	71	return $storedpassword eq crypt( $password, $storedpassword );
106913db	72	} elsif ($self->_config->{'password_type'} eq 'salted_hash') {
5c5af345	73	require Crypt::SaltedHash;
106913db	74	my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
5c5af345	75	return Crypt::SaltedHash->validate( $storedpassword, $password,
5c5af345	76	$salt_len );
106913db	77	} elsif ($self->_config->{'password_type'} eq 'hashed') {
5c5af345	78
106913db	79	my $d = Digest->new( $self->_config->{'password_hash_type'} );
106913db	80	$d->add( $self->_config->{'password_pre_salt'} \|\| '' );
5c5af345	81	$d->add($password);
106913db	82	$d->add( $self->_config->{'password_post_salt'} \|\| '' );
5c5af345	83
	84	my $computed = $d->clone()->digest;
	85	my $b64computed = $d->clone()->b64digest;
	86	return ( ( $computed eq $storedpassword )
	87	\|\| ( unpack( "H*", $computed ) eq $storedpassword )
	88	\|\| ( $b64computed eq $storedpassword)
	89	\|\| ( $b64computed.'=' eq $storedpassword) );
	90	}
	91	}
	92	}
	93
5c5af345	94	__PACKAGE__;
	95
	96	__END__
	97
	98	=pod
	99
	100	=head1 NAME
	101
	102	Catalyst::Authentication::Credential::Password - Authenticate a user
	103	with a password.
	104
	105	=head1 SYNOPSIS
	106
	107	use Catalyst qw/
	108	Authentication
	109	/;
	110
	111	package MyApp::Controller::Auth;
	112
	113	sub login : Local {
	114	my ( $self, $c ) = @_;
	115
	116	$c->authenticate( { username => $c->req->param('username'),
	117	password => $c->req->param('password') });
	118	}
	119
	120	=head1 DESCRIPTION
	121
	122	This authentication credential checker takes authentication information
	123	(most often a username) and a password, and attempts to validate the password
	124	provided against the user retrieved from the store.
	125
	126	=head1 CONFIGURATION
	127
	128	# example
47074ecb	129	__PACKAGE__->config('Plugin::Authentication' =>
5c5af345	130	{
	131	default_realm => 'members',
	132	realms => {
	133	members => {
	134
	135	credential => {
	136	class => 'Password',
	137	password_field => 'password',
	138	password_type => 'hashed',
	139	password_hash_type => 'SHA-1'
	140	},
	141	...
	142
	143
	144	The password module is capable of working with several different password
	145	encryption/hashing algorithms. The one the module uses is determined by the
	146	credential configuration.
	147
	148	Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
	149	should note that the password field and type information is no longer part
	150	of the store configuration and is now part of the Password credential configuration.
	151
	152	=over 4
	153
	154	=item class
	155
	156	The classname used for Credential. This is part of
	157	L<Catalyst::Plugin::Authentication> and is the method by which
	158	Catalyst::Authentication::Credential::Password is loaded as the
	159	credential validator. For this module to be used, this must be set to
	160	'Password'.
	161
	162	=item password_field
	163
	164	The field in the user object that contains the password. This will vary
	165	depending on the storage class used, but is most likely something like
	166	'password'. In fact, this is so common that if this is left out of the config,
	167	it defaults to 'password'. This field is obtained from the user object using
8a7bd676	168	the get() method. Essentially: $user->get('passwordfieldname');
	169	B<NOTE> If the password_field is something other than 'password', you must
	170	be sure to use that same field name when calling $c->authenticate().
5c5af345	171
	172	=item password_type
	173
	174	This sets the password type. Often passwords are stored in crypted or hashed
	175	formats. In order for the password module to verify the plaintext password
	176	passed in, it must be told what format the password will be in when it is retreived
	177	from the user object. The supported options are:
	178
	179	=over 8
	180
	181	=item none
	182
	183	No password check is done. An attempt is made to retrieve the user based on
	184	the information provided in the $c->authenticate() call. If a user is found,
	185	authentication is considered to be successful.
	186
	187	=item clear
	188
	189	The password in user is in clear text and will be compared directly.
	190
	191	=item self_check
	192
	193	This option indicates that the password should be passed to the check_password()
	194	routine on the user object returned from the store.
	195
	196	=item crypted
	197
	198	The password in user is in UNIX crypt hashed format.
	199
	200	=item salted_hash
	201
	202	The password in user is in salted hash format, and will be validated
	203	using L<Crypt::SaltedHash>. If this password type is selected, you should
	204	also provide the B<password_salt_len> config element to define the salt length.
	205
	206	=item hashed
	207
	208	If the user object supports hashed passwords, they will be used in conjunction
	209	with L<Digest>. The following config elements affect the hashed configuration:
	210
	211	=over 8
	212
	213	=item password_hash_type
	214
	215	The hash type used, passed directly to L<Digest/new>.
	216
	217	=item password_pre_salt
	218
	219	Any pre-salt data to be passed to L<Digest/add> before processing the password.
	220
	221	=item password_post_salt
	222
	223	Any post-salt data to be passed to L<Digest/add> after processing the password.
	224
	225	=back
	226
	227	=back
	228
	229	=back
	230
	231	=head1 USAGE
	232
	233	The Password credential module is very simple to use. Once configured as
	234	indicated above, authenticating using this module is simply a matter of
235	calling $c->authenticate() with an authinfo hashref that includes the
236	B<password> element. The password element should contain the password supplied
237	by the user to be authenticated, in clear text. The other information supplied
238	in the auth hash is ignored by the Password module, and simply passed to the
239	auth store to be used to retrieve the user. An example call follows:
240
241	if ($c->authenticate({ username => $username,
242	password => $password} )) {
243	# authentication successful
244	} else {
245	# authentication failed
246	}
247
248	=head1 METHODS
249
250	There are no publicly exported routines in the Password module (or indeed in
251	most credential modules.) However, below is a description of the routines
252	required by L<Catalyst::Plugin::Authentication> for all credential modules.
253
8a7bd676	254	=head2 new( $config, $app, $realm )
5c5af345	255
	256	Instantiate a new Password object using the configuration hash provided in
	257	$config. A reference to the application is provided as the second argument.
	258	Note to credential module authors: new() is called during the application's
	259	plugin setup phase, which is before the application specific controllers are
	260	loaded. The practical upshot of this is that things like $c->model(...) will
	261	not function as expected.
	262
	263	=head2 authenticate( $authinfo, $c )
	264
	265	Try to log a user in, receives a hashref containing authentication information
	266	as the first argument, and the current context as the second.
	267
	268	=head2 check_password( )
	269
5c5af345	270	=cut