[catagits/Catalyst-Plugin-Authentication.git] / lib / Catalyst / Plugin / Authentication / Credential / Password.pm

package Catalyst::Plugin::Authentication::Credential::Password;

use strict;
use warnings;

use base qw/Class::Accessor::Fast/;

use Scalar::Util        ();
use Catalyst::Exception ();
use Digest              ();

BEGIN {
    __PACKAGE__->mk_accessors(qw/_config realm/);
}

sub new {
    my ($class, $config, $app, $realm) = @_;
    
    my $self = { _config => $config };
    bless $self, $class;
    
    $self->realm($realm);
    
    $self->_config->{'password_field'} ||= 'password';
    $self->_config->{'password_type'}  ||= 'clear';
    $self->_config->{'password_hash_type'} ||= 'SHA-1';
    
    my $passwordtype = $self->_config->{'password_type'};
    if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
        Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
    }
    return $self;
}

sub authenticate {
    my ( $self, $c, $realm, $authinfo ) = @_;

    ## because passwords may be in a hashed format, we have to make sure that we remove the 
    ## password_field before we pass it to the user routine, as some auth modules use 
    ## all data passed to them to find a matching user... 
    my $userfindauthinfo = {%{$authinfo}};
    delete($userfindauthinfo->{$self->_config->{'password_field'}});
    
    my $user_obj = $realm->find_user($userfindauthinfo, $c);
    if (ref($user_obj)) {
        if ($self->check_password($user_obj, $authinfo)) {
            return $user_obj;
        }
    } else {
        $c->log->debug("Unable to locate user matching user info provided");
        return;
    }
}

sub check_password {
    my ( $self, $user, $authinfo ) = @_;
    
    if ($self->_config->{'password_type'} eq 'self_check') {
        return $user->check_password($authinfo->{$self->_config->{'password_field'}});
    } else {
        my $password = $authinfo->{$self->_config->{'password_field'}};
        my $storedpassword = $user->get($self->_config->{'password_field'});
        
        if ($self->_config->{'password_type'} eq 'none') {
            return 1;
        } elsif ($self->_config->{'password_type'} eq 'clear') {
            return $password eq $storedpassword;
        } elsif ($self->_config->{'password_type'} eq 'crypted') {            
            return $storedpassword eq crypt( $password, $storedpassword );
        } elsif ($self->_config->{'password_type'} eq 'salted_hash') {
            require Crypt::SaltedHash;
            my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
            return Crypt::SaltedHash->validate( $storedpassword, $password,
                $salt_len );
        } elsif ($self->_config->{'password_type'} eq 'hashed') {

             my $d = Digest->new( $self->_config->{'password_hash_type'} );
             $d->add( $self->_config->{'password_pre_salt'} || '' );
             $d->add($password);
             $d->add( $self->_config->{'password_post_salt'} || '' );

             my $computed    = $d->clone()->digest;
             my $b64computed = $d->clone()->b64digest;
             return ( ( $computed eq $storedpassword )
                   || ( unpack( "H*", $computed ) eq $storedpassword )
                   || ( $b64computed eq $storedpassword)
                   || ( $b64computed.'=' eq $storedpassword) );
        }
    }
}

## BACKWARDS COMPATIBILITY - all subs below here are deprecated 
## They are here for compatibility with older modules that use / inherit from C::P::A::Password 
## login()'s existance relies rather heavily on the fact that only Credential::Password
## is being used as a credential.  This may not be the case.  This is only here 
## for backward compatibility.  It will go away in a future version
## login should not be used in new applications.

sub login {
    my ( $c, $user, $password, @rest ) = @_;
    
    unless (
        defined($user)
            or
        $user = $c->request->param("login")
             || $c->request->param("user")
             || $c->request->param("username")
    ) {
        $c->log->debug(
            "Can't login a user without a user object or user ID param")
              if $c->debug;
        return;
    }

    unless (
        defined($password)
            or
        $password = $c->request->param("password")
                 || $c->request->param("passwd")
                 || $c->request->param("pass")
    ) {
        $c->log->debug("Can't login a user without a password")
          if $c->debug;
        return;
    }
    
    unless ( Scalar::Util::blessed($user)
        and $user->isa("Catalyst::Plugin::Authentication::User") )
    {
        if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
            $user = $user_obj;
        }
        else {
            $c->log->debug("User '$user' doesn't exist in the default store")
              if $c->debug;
            return;
        }
    }

    if ( $c->_check_password( $user, $password ) ) {
        $c->set_authenticated($user);
        $c->log->debug("Successfully authenticated user '$user'.")
          if $c->debug;
        return 1;
    }
    else {
        $c->log->debug(
            "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
          if $c->debug;
        return;
    }
    
}

## also deprecated.  Here for compatibility with older credentials which do not inherit from C::P::A::Password
sub _check_password {
    my ( $c, $user, $password ) = @_;
    
    if ( $user->supports(qw/password clear/) ) {
        return $user->password eq $password;
    }
    elsif ( $user->supports(qw/password crypted/) ) {
        my $crypted = $user->crypted_password;
        return $crypted eq crypt( $password, $crypted );
    }
    elsif ( $user->supports(qw/password hashed/) ) {

        my $d = Digest->new( $user->hash_algorithm );
        $d->add( $user->password_pre_salt || '' );
        $d->add($password);
        $d->add( $user->password_post_salt || '' );

        my $stored      = $user->hashed_password;
        my $computed    = $d->clone()->digest;
        my $b64computed = $d->clone()->b64digest;

        return ( ( $computed eq $stored )
              || ( unpack( "H*", $computed ) eq $stored )
              || ( $b64computed eq $stored)
              || ( $b64computed.'=' eq $stored) );
    }
    elsif ( $user->supports(qw/password salted_hash/) ) {
        require Crypt::SaltedHash;

        my $salt_len =
          $user->can("password_salt_len") ? $user->password_salt_len : 0;

        return Crypt::SaltedHash->validate( $user->hashed_password, $password,
            $salt_len );
    }
    elsif ( $user->supports(qw/password self_check/) ) {

        # while somewhat silly, this is to prevent code duplication
        return $user->check_password($password);

    }
    else {
        Catalyst::Exception->throw(
                "The user object $user does not support any "
              . "known password authentication mechanism." );
    }
}

__PACKAGE__;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
with a password.

=head1 SYNOPSIS

    use Catalyst qw/
      Authentication
      /;

    package MyApp::Controller::Auth;

    sub login : Local {
        my ( $self, $c ) = @_;

        $c->authenticate( { username => $c->req->param('username'),
                            password => $c->req->param('password') });
    }

=head1 DESCRIPTION

This authentication credential checker takes authentication information
(most often a username) and a password, and attempts to validate the password
provided against the user retrieved from the store.

=head1 CONFIGURATION

    # example
    __PACKAGE__->config->{authentication} = 
                {  
                    default_realm => 'members',
                    realms => {
                        members => {
                            
                            credential => {
                                class => 'Password',
                                password_field => 'password',
                                password_type => 'hashed',
                                password_hash_type => 'SHA-1'                                
                            },    
                            ...


The password module is capable of working with several different password
encryption/hashing algorithms. The one the module uses is determined by the
credential configuration.

Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
should note that the password field and type information is no longer part
of the store configuration and is now part of the Password credential configuration.

=over 4 

=item class 

The classname used for Credential. This is part of
L<Catalyst::Plugin::Authentication> and is the method by which
Catalyst::Plugin::Authentication::Credential::Password is loaded as the
credential validator. For this module to be used, this must be set to
'Password'.

=item password_field

The field in the user object that contains the password. This will vary
depending on the storage class used, but is most likely something like
'password'. In fact, this is so common that if this is left out of the config,
it defaults to 'password'. This field is obtained from the user object using
the get() method. Essentially: $user->get('passwordfieldname');

=item password_type 

This sets the password type.  Often passwords are stored in crypted or hashed
formats.  In order for the password module to verify the plaintext password 
passed in, it must be told what format the password will be in when it is retreived
from the user object. The supported options are:

=over 8

=item none

No password check is done. An attempt is made to retrieve the user based on
the information provided in the $c->authenticate() call. If a user is found, 
authentication is considered to be successful.

=item clear

The password in user is in clear text and will be compared directly.

=item self_check

This option indicates that the password should be passed to the check_password()
routine on the user object returned from the store.  

=item crypted

The password in user is in UNIX crypt hashed format.  

=item salted_hash

The password in user is in salted hash format, and will be validated
using L<Crypt::SaltedHash>.  If this password type is selected, you should
also provide the B<password_salt_len> config element to define the salt length.

=item hashed

If the user object supports hashed passwords, they will be used in conjunction
with L<Digest>. The following config elements affect the hashed configuration:

=over 8

=item password_hash_type 

The hash type used, passed directly to L<Digest/new>.  

=item password_pre_salt 

Any pre-salt data to be passed to L<Digest/add> before processing the password.

=item password_post_salt

Any post-salt data to be passed to L<Digest/add> after processing the password.

=back

=back

=back

=head1 USAGE

The Password credential module is very simple to use. Once configured as
indicated above, authenticating using this module is simply a matter of
calling $c->authenticate() with an authinfo hashref that includes the
B<password> element. The password element should contain the password supplied
by the user to be authenticated, in clear text. The other information supplied
in the auth hash is ignored by the Password module, and simply passed to the
auth store to be used to retrieve the user. An example call follows:

    if ($c->authenticate({ username => $username,
                           password => $password} )) {
        # authentication successful
    } else {
        # authentication failed
    }

=head1 METHODS

There are no publicly exported routines in the Password module (or indeed in
most credential modules.)  However, below is a description of the routines 
required by L<Catalyst::Plugin::Authentication> for all credential modules.

=head2 new( $config, $app )

Instantiate a new Password object using the configuration hash provided in
$config. A reference to the application is provided as the second argument.
Note to credential module authors: new() is called during the application's
plugin setup phase, which is before the application specific controllers are
loaded. The practical upshot of this is that things like $c->model(...) will
not function as expected.

=head2 authenticate( $authinfo, $c )

Try to log a user in, receives a hashref containing authentication information
as the first argument, and the current context as the second.

=cut
Commit	Line	Data
a90296d4	1	package Catalyst::Plugin::Authentication::Credential::Password;
	2
	3	use strict;
	4	use warnings;
	5
5afc0dde	6	use base qw/Class::Accessor::Fast/;
5afc0dde	7
a90296d4	8	use Scalar::Util ();
	9	use Catalyst::Exception ();
	10	use Digest ();
	11
45c7644b	12	BEGIN {
646ea5b1	13	__PACKAGE__->mk_accessors(qw/_config realm/);
45c7644b	14	}
45c7644b	15
54c8dc06	16	sub new {
646ea5b1	17	my ($class, $config, $app, $realm) = @_;
54c8dc06	18
45c7644b	19	my $self = { _config => $config };
	20	bless $self, $class;
	21
646ea5b1	22	$self->realm($realm);
646ea5b1	23
45c7644b	24	$self->_config->{'password_field'} \|\|= 'password';
	25	$self->_config->{'password_type'} \|\|= 'clear';
	26	$self->_config->{'password_hash_type'} \|\|= 'SHA-1';
54c8dc06	27
45c7644b	28	my $passwordtype = $self->_config->{'password_type'};
52eebd31	29	if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
45c7644b	30	Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
54c8dc06	31	}
45c7644b	32	return $self;
54c8dc06	33	}
	34
	35	sub authenticate {
646ea5b1	36	my ( $self, $c, $realm, $authinfo ) = @_;
54c8dc06	37
45c7644b	38	## because passwords may be in a hashed format, we have to make sure that we remove the
	39	## password_field before we pass it to the user routine, as some auth modules use
	40	## all data passed to them to find a matching user...
	41	my $userfindauthinfo = {%{$authinfo}};
	42	delete($userfindauthinfo->{$self->_config->{'password_field'}});
	43
646ea5b1	44	my $user_obj = $realm->find_user($userfindauthinfo, $c);
649de93b	45	if (ref($user_obj)) {
54c8dc06	46	if ($self->check_password($user_obj, $authinfo)) {
54c8dc06	47	return $user_obj;
a93f1197	48	}
54c8dc06	49	} else {
	50	$c->log->debug("Unable to locate user matching user info provided");
	51	return;
	52	}
	53	}
a93f1197	54
54c8dc06	55	sub check_password {
	56	my ( $self, $user, $authinfo ) = @_;
	57
45c7644b	58	if ($self->_config->{'password_type'} eq 'self_check') {
45c7644b	59	return $user->check_password($authinfo->{$self->_config->{'password_field'}});
54c8dc06	60	} else {
45c7644b	61	my $password = $authinfo->{$self->_config->{'password_field'}};
45c7644b	62	my $storedpassword = $user->get($self->_config->{'password_field'});
54c8dc06	63
17185597	64	if ($self->_config->{'password_type'} eq 'none') {
	65	return 1;
	66	} elsif ($self->_config->{'password_type'} eq 'clear') {
54c8dc06	67	return $password eq $storedpassword;
17185597	68	} elsif ($self->_config->{'password_type'} eq 'crypted') {
54c8dc06	69	return $storedpassword eq crypt( $password, $storedpassword );
45c7644b	70	} elsif ($self->_config->{'password_type'} eq 'salted_hash') {
54c8dc06	71	require Crypt::SaltedHash;
45c7644b	72	my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
54c8dc06	73	return Crypt::SaltedHash->validate( $storedpassword, $password,
54c8dc06	74	$salt_len );
45c7644b	75	} elsif ($self->_config->{'password_type'} eq 'hashed') {
54c8dc06	76
45c7644b	77	my $d = Digest->new( $self->_config->{'password_hash_type'} );
45c7644b	78	$d->add( $self->_config->{'password_pre_salt'} \|\| '' );
54c8dc06	79	$d->add($password);
45c7644b	80	$d->add( $self->_config->{'password_post_salt'} \|\| '' );
54c8dc06	81
	82	my $computed = $d->clone()->digest;
	83	my $b64computed = $d->clone()->b64digest;
	84	return ( ( $computed eq $storedpassword )
	85	\|\| ( unpack( "H*", $computed ) eq $storedpassword )
	86	\|\| ( $b64computed eq $storedpassword)
	87	\|\| ( $b64computed.'=' eq $storedpassword) );
a93f1197	88	}
a90296d4	89	}
54c8dc06	90	}
	91
	92	## BACKWARDS COMPATIBILITY - all subs below here are deprecated
	93	## They are here for compatibility with older modules that use / inherit from C::P::A::Password
c5fbff80	94	## login()'s existance relies rather heavily on the fact that only Credential::Password
54c8dc06	95	## is being used as a credential. This may not be the case. This is only here
	96	## for backward compatibility. It will go away in a future version
	97	## login should not be used in new applications.
a90296d4	98
54c8dc06	99	sub login {
	100	my ( $c, $user, $password, @rest ) = @_;
	101
	102	unless (
	103	defined($user)
	104	or
	105	$user = $c->request->param("login")
	106	\|\| $c->request->param("user")
	107	\|\| $c->request->param("username")
	108	) {
	109	$c->log->debug(
	110	"Can't login a user without a user object or user ID param")
	111	if $c->debug;
	112	return;
	113	}
	114
	115	unless (
	116	defined($password)
	117	or
	118	$password = $c->request->param("password")
	119	\|\| $c->request->param("passwd")
	120	\|\| $c->request->param("pass")
	121	) {
	122	$c->log->debug("Can't login a user without a password")
	123	if $c->debug;
	124	return;
	125	}
	126
a93f1197	127	unless ( Scalar::Util::blessed($user)
85d1d92d	128	and $user->isa("Catalyst::Plugin::Authentication::User") )
a93f1197	129	{
2f7d8b59	130	if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
a93f1197	131	$user = $user_obj;
	132	}
	133	else {
	134	$c->log->debug("User '$user' doesn't exist in the default store")
	135	if $c->debug;
	136	return;
	137	}
	138	}
a90296d4	139
	140	if ( $c->_check_password( $user, $password ) ) {
	141	$c->set_authenticated($user);
a93f1197	142	$c->log->debug("Successfully authenticated user '$user'.")
a93f1197	143	if $c->debug;
a90296d4	144	return 1;
	145	}
	146	else {
a93f1197	147	$c->log->debug(
85d1d92d	148	"Failed to authenticate user '$user'. Reason: 'Incorrect password'")
a93f1197	149	if $c->debug;
a90296d4	150	return;
a90296d4	151	}
54c8dc06	152
a90296d4	153	}
a90296d4	154
54c8dc06	155	## also deprecated. Here for compatibility with older credentials which do not inherit from C::P::A::Password
a90296d4	156	sub _check_password {
a90296d4	157	my ( $c, $user, $password ) = @_;
54c8dc06	158
a90296d4	159	if ( $user->supports(qw/password clear/) ) {
	160	return $user->password eq $password;
	161	}
	162	elsif ( $user->supports(qw/password crypted/) ) {
	163	my $crypted = $user->crypted_password;
	164	return $crypted eq crypt( $password, $crypted );
	165	}
	166	elsif ( $user->supports(qw/password hashed/) ) {
	167
	168	my $d = Digest->new( $user->hash_algorithm );
	169	$d->add( $user->password_pre_salt \|\| '' );
	170	$d->add($password);
	171	$d->add( $user->password_post_salt \|\| '' );
	172
fd5b31a0	173	my $stored = $user->hashed_password;
	174	my $computed = $d->clone()->digest;
	175	my $b64computed = $d->clone()->b64digest;
a90296d4	176
a90296d4	177	return ( ( $computed eq $stored )
fd5b31a0	178	\|\| ( unpack( "H*", $computed ) eq $stored )
	179	\|\| ( $b64computed eq $stored)
	180	\|\| ( $b64computed.'=' eq $stored) );
a90296d4	181	}
	182	elsif ( $user->supports(qw/password salted_hash/) ) {
	183	require Crypt::SaltedHash;
	184
	185	my $salt_len =
	186	$user->can("password_salt_len") ? $user->password_salt_len : 0;
	187
	188	return Crypt::SaltedHash->validate( $user->hashed_password, $password,
	189	$salt_len );
	190	}
	191	elsif ( $user->supports(qw/password self_check/) ) {
	192
	193	# while somewhat silly, this is to prevent code duplication
	194	return $user->check_password($password);
	195
	196	}
	197	else {
	198	Catalyst::Exception->throw(
	199	"The user object $user does not support any "
	200	. "known password authentication mechanism." );
	201	}
	202	}
	203
	204	__PACKAGE__;
	205
	206	__END__
	207
	208	=pod
	209
	210	=head1 NAME
	211
	212	Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
	213	with a password.
	214
	215	=head1 SYNOPSIS
	216
	217	use Catalyst qw/
	218	Authentication
a90296d4	219	/;
a90296d4	220
8d3ca09c	221	package MyApp::Controller::Auth;
8d3ca09c	222
a90296d4	223	sub login : Local {
	224	my ( $self, $c ) = @_;
	225
89505ffb	226	$c->authenticate( { username => $c->req->param('username'),
89505ffb	227	password => $c->req->param('password') });
a90296d4	228	}
	229
	230	=head1 DESCRIPTION
	231
89505ffb	232	This authentication credential checker takes authentication information
	233	(most often a username) and a password, and attempts to validate the password
	234	provided against the user retrieved from the store.
a90296d4	235
89505ffb	236	=head1 CONFIGURATION
a90296d4	237
89505ffb	238	# example
	239	__PACKAGE__->config->{authentication} =
	240	{
	241	default_realm => 'members',
	242	realms => {
	243	members => {
	244
	245	credential => {
	246	class => 'Password',
	247	password_field => 'password',
	248	password_type => 'hashed',
	249	password_hash_type => 'SHA-1'
	250	},
	251	...
a90296d4	252
a90296d4	253
89505ffb	254	The password module is capable of working with several different password
	255	encryption/hashing algorithms. The one the module uses is determined by the
	256	credential configuration.
a90296d4	257
c5fbff80	258	Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
	259	should note that the password field and type information is no longer part
	260	of the store configuration and is now part of the Password credential configuration.
	261
89505ffb	262	=over 4
a90296d4	263
89505ffb	264	=item class
a90296d4	265
89505ffb	266	The classname used for Credential. This is part of
	267	L<Catalyst::Plugin::Authentication> and is the method by which
	268	Catalyst::Plugin::Authentication::Credential::Password is loaded as the
	269	credential validator. For this module to be used, this must be set to
	270	'Password'.
a90296d4	271
89505ffb	272	=item password_field
a90296d4	273
89505ffb	274	The field in the user object that contains the password. This will vary
	275	depending on the storage class used, but is most likely something like
	276	'password'. In fact, this is so common that if this is left out of the config,
	277	it defaults to 'password'. This field is obtained from the user object using
	278	the get() method. Essentially: $user->get('passwordfieldname');
a90296d4	279
89505ffb	280	=item password_type
9b09fd1c	281
89505ffb	282	This sets the password type. Often passwords are stored in crypted or hashed
	283	formats. In order for the password module to verify the plaintext password
	284	passed in, it must be told what format the password will be in when it is retreived
	285	from the user object. The supported options are:
9b09fd1c	286
89505ffb	287	=over 8
9b09fd1c	288
17185597	289	=item none
	290
	291	No password check is done. An attempt is made to retrieve the user based on
	292	the information provided in the $c->authenticate() call. If a user is found,
	293	authentication is considered to be successful.
	294
89505ffb	295	=item clear
9b09fd1c	296
89505ffb	297	The password in user is in clear text and will be compared directly.
9b09fd1c	298
89505ffb	299	=item self_check
9b09fd1c	300
89505ffb	301	This option indicates that the password should be passed to the check_password()
89505ffb	302	routine on the user object returned from the store.
9b09fd1c	303
89505ffb	304	=item crypted
a90296d4	305
89505ffb	306	The password in user is in UNIX crypt hashed format.
a90296d4	307
89505ffb	308	=item salted_hash
a90296d4	309
89505ffb	310	The password in user is in salted hash format, and will be validated
	311	using L<Crypt::SaltedHash>. If this password type is selected, you should
	312	also provide the B<password_salt_len> config element to define the salt length.
a90296d4	313
89505ffb	314	=item hashed
a90296d4	315
89505ffb	316	If the user object supports hashed passwords, they will be used in conjunction
89505ffb	317	with L<Digest>. The following config elements affect the hashed configuration:
a90296d4	318
89505ffb	319	=over 8
a90296d4	320
89505ffb	321	=item password_hash_type
a90296d4	322
89505ffb	323	The hash type used, passed directly to L<Digest/new>.
a90296d4	324
89505ffb	325	=item password_pre_salt
a90296d4	326
89505ffb	327	Any pre-salt data to be passed to L<Digest/add> before processing the password.
a90296d4	328
	329	=item password_post_salt
	330
89505ffb	331	Any post-salt data to be passed to L<Digest/add> after processing the password.
a90296d4	332
	333	=back
	334
89505ffb	335	=back
a90296d4	336
89505ffb	337	=back
a90296d4	338
89505ffb	339	=head1 USAGE
a90296d4	340
c5fbff80	341	The Password credential module is very simple to use. Once configured as
	342	indicated above, authenticating using this module is simply a matter of
	343	calling $c->authenticate() with an authinfo hashref that includes the
	344	B<password> element. The password element should contain the password supplied
	345	by the user to be authenticated, in clear text. The other information supplied
	346	in the auth hash is ignored by the Password module, and simply passed to the
	347	auth store to be used to retrieve the user. An example call follows:
a90296d4	348
89505ffb	349	if ($c->authenticate({ username => $username,
	350	password => $password} )) {
	351	# authentication successful
	352	} else {
	353	# authentication failed
	354	}
a90296d4	355
89505ffb	356	=head1 METHODS
a90296d4	357
89505ffb	358	There are no publicly exported routines in the Password module (or indeed in
	359	most credential modules.) However, below is a description of the routines
	360	required by L<Catalyst::Plugin::Authentication> for all credential modules.
a90296d4	361
5afc0dde	362	=head2 new( $config, $app )
a90296d4	363
89505ffb	364	Instantiate a new Password object using the configuration hash provided in
	365	$config. A reference to the application is provided as the second argument.
	366	Note to credential module authors: new() is called during the application's
	367	plugin setup phase, which is before the application specific controllers are
	368	loaded. The practical upshot of this is that things like $c->model(...) will
	369	not function as expected.
a90296d4	370
5afc0dde	371	=head2 authenticate( $authinfo, $c )
a90296d4	372
89505ffb	373	Try to log a user in, receives a hashref containing authentication information
89505ffb	374	as the first argument, and the current context as the second.
a90296d4	375
5afc0dde	376	=cut