[catagits/Catalyst-Plugin-Authentication.git] / lib / Catalyst / Plugin / Authentication / Credential / Password.pm

package Catalyst::Plugin::Authentication::Credential::Password;
use base qw/Class::Accessor::Fast/;

use strict;
use warnings;

use Scalar::Util        ();
use Catalyst::Exception ();
use Digest              ();

BEGIN {
    __PACKAGE__->mk_accessors(qw/_config/);
}

sub new {
    my ($class, $config, $app) = @_;
    
    my $self = { _config => $config };
    bless $self, $class;
    
    $self->_config->{'password_field'} ||= 'password';
    $self->_config->{'password_type'}  ||= 'clear';
    $self->_config->{'password_hash_type'} ||= 'SHA-1';
    
    my $passwordtype = $self->_config->{'password_type'};
    if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
        Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
    }
    return $self;
}

sub authenticate {
    my ( $self, $c, $authstore, $authinfo ) = @_;

    ## because passwords may be in a hashed format, we have to make sure that we remove the 
    ## password_field before we pass it to the user routine, as some auth modules use 
    ## all data passed to them to find a matching user... 
    my $userfindauthinfo = {%{$authinfo}};
    delete($userfindauthinfo->{$self->_config->{'password_field'}});
    
    my $user_obj = $authstore->find_user($userfindauthinfo, $c);
    if (ref($user_obj)) {
        if ($self->check_password($user_obj, $authinfo)) {
            return $user_obj;
        }
    } else {
        $c->log->debug("Unable to locate user matching user info provided");
        return;
    }
}

sub check_password {
    my ( $self, $user, $authinfo ) = @_;
    
    if ($self->_config->{'password_type'} eq 'self_check') {
        return $user->check_password($authinfo->{$self->_config->{'password_field'}});
    } else {
        my $password = $authinfo->{$self->_config->{'password_field'}};
        my $storedpassword = $user->get($self->_config->{'password_field'});
        
        if ($self->_config->{'password_type'} eq 'none') {
            return 1;
        } elsif ($self->_config->{'password_type'} eq 'clear') {
            return $password eq $storedpassword;
        } elsif ($self->_config->{'password_type'} eq 'crypted') {            
            return $storedpassword eq crypt( $password, $storedpassword );
        } elsif ($self->_config->{'password_type'} eq 'salted_hash') {
            require Crypt::SaltedHash;
            my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
            return Crypt::SaltedHash->validate( $storedpassword, $password,
                $salt_len );
        } elsif ($self->_config->{'password_type'} eq 'hashed') {

             my $d = Digest->new( $self->_config->{'password_hash_type'} );
             $d->add( $self->_config->{'password_pre_salt'} || '' );
             $d->add($password);
             $d->add( $self->_config->{'password_post_salt'} || '' );

             my $computed    = $d->clone()->digest;
             my $b64computed = $d->clone()->b64digest;
             return ( ( $computed eq $storedpassword )
                   || ( unpack( "H*", $computed ) eq $storedpassword )
                   || ( $b64computed eq $storedpassword)
                   || ( $b64computed.'=' eq $storedpassword) );
        }
    }
}

## BACKWARDS COMPATIBILITY - all subs below here are deprecated 
## They are here for compatibility with older modules that use / inherit from C::P::A::Password 
## login()'s existance relies rather heavily on the fact that only Credential::Password
## is being used as a credential.  This may not be the case.  This is only here 
## for backward compatibility.  It will go away in a future version
## login should not be used in new applications.

sub login {
    my ( $c, $user, $password, @rest ) = @_;
    
    unless (
        defined($user)
            or
        $user = $c->request->param("login")
             || $c->request->param("user")
             || $c->request->param("username")
    ) {
        $c->log->debug(
            "Can't login a user without a user object or user ID param")
              if $c->debug;
        return;
    }

    unless (
        defined($password)
            or
        $password = $c->request->param("password")
                 || $c->request->param("passwd")
                 || $c->request->param("pass")
    ) {
        $c->log->debug("Can't login a user without a password")
          if $c->debug;
        return;
    }
    
    unless ( Scalar::Util::blessed($user)
        and $user->isa("Catalyst::Plugin::Authentication::User") )
    {
        if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
            $user = $user_obj;
        }
        else {
            $c->log->debug("User '$user' doesn't exist in the default store")
              if $c->debug;
            return;
        }
    }

    if ( $c->_check_password( $user, $password ) ) {
        $c->set_authenticated($user);
        $c->log->debug("Successfully authenticated user '$user'.")
          if $c->debug;
        return 1;
    }
    else {
        $c->log->debug(
            "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
          if $c->debug;
        return;
    }
    
}

## also deprecated.  Here for compatibility with older credentials which do not inherit from C::P::A::Password
sub _check_password {
    my ( $c, $user, $password ) = @_;
    
    if ( $user->supports(qw/password clear/) ) {
        return $user->password eq $password;
    }
    elsif ( $user->supports(qw/password crypted/) ) {
        my $crypted = $user->crypted_password;
        return $crypted eq crypt( $password, $crypted );
    }
    elsif ( $user->supports(qw/password hashed/) ) {

        my $d = Digest->new( $user->hash_algorithm );
        $d->add( $user->password_pre_salt || '' );
        $d->add($password);
        $d->add( $user->password_post_salt || '' );

        my $stored      = $user->hashed_password;
        my $computed    = $d->clone()->digest;
        my $b64computed = $d->clone()->b64digest;

        return ( ( $computed eq $stored )
              || ( unpack( "H*", $computed ) eq $stored )
              || ( $b64computed eq $stored)
              || ( $b64computed.'=' eq $stored) );
    }
    elsif ( $user->supports(qw/password salted_hash/) ) {
        require Crypt::SaltedHash;

        my $salt_len =
          $user->can("password_salt_len") ? $user->password_salt_len : 0;

        return Crypt::SaltedHash->validate( $user->hashed_password, $password,
            $salt_len );
    }
    elsif ( $user->supports(qw/password self_check/) ) {

        # while somewhat silly, this is to prevent code duplication
        return $user->check_password($password);

    }
    else {
        Catalyst::Exception->throw(
                "The user object $user does not support any "
              . "known password authentication mechanism." );
    }
}

__PACKAGE__;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
with a password.

=head1 SYNOPSIS

    use Catalyst qw/
      Authentication
      /;

    package MyApp::Controller::Auth;

    sub login : Local {
        my ( $self, $c ) = @_;

        $c->authenticate( { username => $c->req->param('username'),
                            password => $c->req->param('password') });
    }

=head1 DESCRIPTION

This authentication credential checker takes authentication information
(most often a username) and a password, and attempts to validate the password
provided against the user retrieved from the store.

=head1 CONFIGURATION

    # example
    __PACKAGE__->config->{authentication} = 
                {  
                    default_realm => 'members',
                    realms => {
                        members => {
                            
                            credential => {
                                class => 'Password',
                                password_field => 'password',
                                password_type => 'hashed',
                                password_hash_type => 'SHA-1'                                
                            },    
                            ...


The password module is capable of working with several different password
encryption/hashing algorithms. The one the module uses is determined by the
credential configuration.

Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
should note that the password field and type information is no longer part
of the store configuration and is now part of the Password credential configuration.

=over 4 

=item class 

The classname used for Credential. This is part of
L<Catalyst::Plugin::Authentication> and is the method by which
Catalyst::Plugin::Authentication::Credential::Password is loaded as the
credential validator. For this module to be used, this must be set to
'Password'.

=item password_field

The field in the user object that contains the password. This will vary
depending on the storage class used, but is most likely something like
'password'. In fact, this is so common that if this is left out of the config,
it defaults to 'password'. This field is obtained from the user object using
the get() method. Essentially: $user->get('passwordfieldname');

=item password_type 

This sets the password type.  Often passwords are stored in crypted or hashed
formats.  In order for the password module to verify the plaintext password 
passed in, it must be told what format the password will be in when it is retreived
from the user object. The supported options are:

=over 8

=item none

No password check is done. An attempt is made to retrieve the user based on
the information provided in the $c->authenticate() call. If a user is found, 
authentication is considered to be successful.

=item clear

The password in user is in clear text and will be compared directly.

=item self_check

This option indicates that the password should be passed to the check_password()
routine on the user object returned from the store.  

=item crypted

The password in user is in UNIX crypt hashed format.  

=item salted_hash

The password in user is in salted hash format, and will be validated
using L<Crypt::SaltedHash>.  If this password type is selected, you should
also provide the B<password_salt_len> config element to define the salt length.

=item hashed

If the user object supports hashed passwords, they will be used in conjunction
with L<Digest>. The following config elements affect the hashed configuration:

=over 8

=item password_hash_type 

The hash type used, passed directly to L<Digest/new>.  

=item password_pre_salt 

Any pre-salt data to be passed to L<Digest/add> before processing the password.

=item password_post_salt

Any post-salt data to be passed to L<Digest/add> after processing the password.

=back

=back

=back

=head1 USAGE

The Password credential module is very simple to use. Once configured as
indicated above, authenticating using this module is simply a matter of
calling $c->authenticate() with an authinfo hashref that includes the
B<password> element. The password element should contain the password supplied
by the user to be authenticated, in clear text. The other information supplied
in the auth hash is ignored by the Password module, and simply passed to the
auth store to be used to retrieve the user. An example call follows:

    if ($c->authenticate({ username => $username,
                           password => $password} )) {
        # authentication successful
    } else {
        # authentication failed
    }

=head1 METHODS

There are no publicly exported routines in the Password module (or indeed in
most credential modules.)  However, below is a description of the routines 
required by L<Catalyst::Plugin::Authentication> for all credential modules.

=over 4

=item new ( $config, $app )

Instantiate a new Password object using the configuration hash provided in
$config. A reference to the application is provided as the second argument.
Note to credential module authors: new() is called during the application's
plugin setup phase, which is before the application specific controllers are
loaded. The practical upshot of this is that things like $c->model(...) will
not function as expected.

=item authenticate ( $authinfo, $c )

Try to log a user in, receives a hashref containing authentication information
as the first argument, and the current context as the second.

=back
Commit	Line	Data
a90296d4	1	package Catalyst::Plugin::Authentication::Credential::Password;
45c7644b	2	use base qw/Class::Accessor::Fast/;
a90296d4	3
	4	use strict;
	5	use warnings;
	6
	7	use Scalar::Util ();
	8	use Catalyst::Exception ();
	9	use Digest ();
	10
45c7644b	11	BEGIN {
	12	__PACKAGE__->mk_accessors(qw/_config/);
	13	}
	14
54c8dc06	15	sub new {
	16	my ($class, $config, $app) = @_;
	17
45c7644b	18	my $self = { _config => $config };
	19	bless $self, $class;
	20
	21	$self->_config->{'password_field'} \|\|= 'password';
	22	$self->_config->{'password_type'} \|\|= 'clear';
	23	$self->_config->{'password_hash_type'} \|\|= 'SHA-1';
54c8dc06	24
45c7644b	25	my $passwordtype = $self->_config->{'password_type'};
52eebd31	26	if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
45c7644b	27	Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
54c8dc06	28	}
45c7644b	29	return $self;
54c8dc06	30	}
	31
	32	sub authenticate {
	33	my ( $self, $c, $authstore, $authinfo ) = @_;
	34
45c7644b	35	## because passwords may be in a hashed format, we have to make sure that we remove the
	36	## password_field before we pass it to the user routine, as some auth modules use
	37	## all data passed to them to find a matching user...
	38	my $userfindauthinfo = {%{$authinfo}};
	39	delete($userfindauthinfo->{$self->_config->{'password_field'}});
	40
	41	my $user_obj = $authstore->find_user($userfindauthinfo, $c);
649de93b	42	if (ref($user_obj)) {
54c8dc06	43	if ($self->check_password($user_obj, $authinfo)) {
54c8dc06	44	return $user_obj;
a93f1197	45	}
54c8dc06	46	} else {
	47	$c->log->debug("Unable to locate user matching user info provided");
	48	return;
	49	}
	50	}
a93f1197	51
54c8dc06	52	sub check_password {
	53	my ( $self, $user, $authinfo ) = @_;
	54
45c7644b	55	if ($self->_config->{'password_type'} eq 'self_check') {
45c7644b	56	return $user->check_password($authinfo->{$self->_config->{'password_field'}});
54c8dc06	57	} else {
45c7644b	58	my $password = $authinfo->{$self->_config->{'password_field'}};
45c7644b	59	my $storedpassword = $user->get($self->_config->{'password_field'});
54c8dc06	60
17185597	61	if ($self->_config->{'password_type'} eq 'none') {
	62	return 1;
	63	} elsif ($self->_config->{'password_type'} eq 'clear') {
54c8dc06	64	return $password eq $storedpassword;
17185597	65	} elsif ($self->_config->{'password_type'} eq 'crypted') {
54c8dc06	66	return $storedpassword eq crypt( $password, $storedpassword );
45c7644b	67	} elsif ($self->_config->{'password_type'} eq 'salted_hash') {
54c8dc06	68	require Crypt::SaltedHash;
45c7644b	69	my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
54c8dc06	70	return Crypt::SaltedHash->validate( $storedpassword, $password,
54c8dc06	71	$salt_len );
45c7644b	72	} elsif ($self->_config->{'password_type'} eq 'hashed') {
54c8dc06	73
45c7644b	74	my $d = Digest->new( $self->_config->{'password_hash_type'} );
45c7644b	75	$d->add( $self->_config->{'password_pre_salt'} \|\| '' );
54c8dc06	76	$d->add($password);
45c7644b	77	$d->add( $self->_config->{'password_post_salt'} \|\| '' );
54c8dc06	78
	79	my $computed = $d->clone()->digest;
	80	my $b64computed = $d->clone()->b64digest;
	81	return ( ( $computed eq $storedpassword )
	82	\|\| ( unpack( "H*", $computed ) eq $storedpassword )
	83	\|\| ( $b64computed eq $storedpassword)
	84	\|\| ( $b64computed.'=' eq $storedpassword) );
a93f1197	85	}
a90296d4	86	}
54c8dc06	87	}
	88
	89	## BACKWARDS COMPATIBILITY - all subs below here are deprecated
	90	## They are here for compatibility with older modules that use / inherit from C::P::A::Password
c5fbff80	91	## login()'s existance relies rather heavily on the fact that only Credential::Password
54c8dc06	92	## is being used as a credential. This may not be the case. This is only here
	93	## for backward compatibility. It will go away in a future version
	94	## login should not be used in new applications.
a90296d4	95
54c8dc06	96	sub login {
	97	my ( $c, $user, $password, @rest ) = @_;
	98
	99	unless (
	100	defined($user)
	101	or
	102	$user = $c->request->param("login")
	103	\|\| $c->request->param("user")
	104	\|\| $c->request->param("username")
	105	) {
	106	$c->log->debug(
	107	"Can't login a user without a user object or user ID param")
	108	if $c->debug;
	109	return;
	110	}
	111
	112	unless (
	113	defined($password)
	114	or
	115	$password = $c->request->param("password")
	116	\|\| $c->request->param("passwd")
	117	\|\| $c->request->param("pass")
	118	) {
	119	$c->log->debug("Can't login a user without a password")
	120	if $c->debug;
	121	return;
	122	}
	123
a93f1197	124	unless ( Scalar::Util::blessed($user)
85d1d92d	125	and $user->isa("Catalyst::Plugin::Authentication::User") )
a93f1197	126	{
2f7d8b59	127	if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
a93f1197	128	$user = $user_obj;
	129	}
	130	else {
	131	$c->log->debug("User '$user' doesn't exist in the default store")
	132	if $c->debug;
	133	return;
	134	}
	135	}
a90296d4	136
	137	if ( $c->_check_password( $user, $password ) ) {
	138	$c->set_authenticated($user);
a93f1197	139	$c->log->debug("Successfully authenticated user '$user'.")
a93f1197	140	if $c->debug;
a90296d4	141	return 1;
	142	}
	143	else {
a93f1197	144	$c->log->debug(
85d1d92d	145	"Failed to authenticate user '$user'. Reason: 'Incorrect password'")
a93f1197	146	if $c->debug;
a90296d4	147	return;
a90296d4	148	}
54c8dc06	149
a90296d4	150	}
a90296d4	151
54c8dc06	152	## also deprecated. Here for compatibility with older credentials which do not inherit from C::P::A::Password
a90296d4	153	sub _check_password {
a90296d4	154	my ( $c, $user, $password ) = @_;
54c8dc06	155
a90296d4	156	if ( $user->supports(qw/password clear/) ) {
	157	return $user->password eq $password;
	158	}
	159	elsif ( $user->supports(qw/password crypted/) ) {
	160	my $crypted = $user->crypted_password;
	161	return $crypted eq crypt( $password, $crypted );
	162	}
	163	elsif ( $user->supports(qw/password hashed/) ) {
	164
	165	my $d = Digest->new( $user->hash_algorithm );
	166	$d->add( $user->password_pre_salt \|\| '' );
	167	$d->add($password);
	168	$d->add( $user->password_post_salt \|\| '' );
	169
fd5b31a0	170	my $stored = $user->hashed_password;
	171	my $computed = $d->clone()->digest;
	172	my $b64computed = $d->clone()->b64digest;
a90296d4	173
a90296d4	174	return ( ( $computed eq $stored )
fd5b31a0	175	\|\| ( unpack( "H*", $computed ) eq $stored )
	176	\|\| ( $b64computed eq $stored)
	177	\|\| ( $b64computed.'=' eq $stored) );
a90296d4	178	}
	179	elsif ( $user->supports(qw/password salted_hash/) ) {
	180	require Crypt::SaltedHash;
	181
	182	my $salt_len =
	183	$user->can("password_salt_len") ? $user->password_salt_len : 0;
	184
	185	return Crypt::SaltedHash->validate( $user->hashed_password, $password,
	186	$salt_len );
	187	}
	188	elsif ( $user->supports(qw/password self_check/) ) {
	189
	190	# while somewhat silly, this is to prevent code duplication
	191	return $user->check_password($password);
	192
	193	}
	194	else {
	195	Catalyst::Exception->throw(
	196	"The user object $user does not support any "
	197	. "known password authentication mechanism." );
	198	}
	199	}
	200
	201	__PACKAGE__;
	202
	203	__END__
	204
	205	=pod
	206
	207	=head1 NAME
	208
	209	Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
	210	with a password.
	211
	212	=head1 SYNOPSIS
	213
	214	use Catalyst qw/
	215	Authentication
a90296d4	216	/;
a90296d4	217
8d3ca09c	218	package MyApp::Controller::Auth;
8d3ca09c	219
a90296d4	220	sub login : Local {
	221	my ( $self, $c ) = @_;
	222
89505ffb	223	$c->authenticate( { username => $c->req->param('username'),
89505ffb	224	password => $c->req->param('password') });
a90296d4	225	}
	226
	227	=head1 DESCRIPTION
	228
89505ffb	229	This authentication credential checker takes authentication information
	230	(most often a username) and a password, and attempts to validate the password
	231	provided against the user retrieved from the store.
a90296d4	232
89505ffb	233	=head1 CONFIGURATION
a90296d4	234
89505ffb	235	# example
	236	__PACKAGE__->config->{authentication} =
	237	{
	238	default_realm => 'members',
	239	realms => {
	240	members => {
	241
	242	credential => {
	243	class => 'Password',
	244	password_field => 'password',
	245	password_type => 'hashed',
	246	password_hash_type => 'SHA-1'
	247	},
	248	...
a90296d4	249
a90296d4	250
89505ffb	251	The password module is capable of working with several different password
	252	encryption/hashing algorithms. The one the module uses is determined by the
	253	credential configuration.
a90296d4	254
c5fbff80	255	Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
	256	should note that the password field and type information is no longer part
	257	of the store configuration and is now part of the Password credential configuration.
	258
89505ffb	259	=over 4
a90296d4	260
89505ffb	261	=item class
a90296d4	262
89505ffb	263	The classname used for Credential. This is part of
	264	L<Catalyst::Plugin::Authentication> and is the method by which
	265	Catalyst::Plugin::Authentication::Credential::Password is loaded as the
	266	credential validator. For this module to be used, this must be set to
	267	'Password'.
a90296d4	268
89505ffb	269	=item password_field
a90296d4	270
89505ffb	271	The field in the user object that contains the password. This will vary
	272	depending on the storage class used, but is most likely something like
	273	'password'. In fact, this is so common that if this is left out of the config,
	274	it defaults to 'password'. This field is obtained from the user object using
	275	the get() method. Essentially: $user->get('passwordfieldname');
a90296d4	276
89505ffb	277	=item password_type
9b09fd1c	278
89505ffb	279	This sets the password type. Often passwords are stored in crypted or hashed
	280	formats. In order for the password module to verify the plaintext password
	281	passed in, it must be told what format the password will be in when it is retreived
	282	from the user object. The supported options are:
9b09fd1c	283
89505ffb	284	=over 8
9b09fd1c	285
17185597	286	=item none
	287
	288	No password check is done. An attempt is made to retrieve the user based on
	289	the information provided in the $c->authenticate() call. If a user is found,
	290	authentication is considered to be successful.
	291
89505ffb	292	=item clear
9b09fd1c	293
89505ffb	294	The password in user is in clear text and will be compared directly.
9b09fd1c	295
89505ffb	296	=item self_check
9b09fd1c	297
89505ffb	298	This option indicates that the password should be passed to the check_password()
89505ffb	299	routine on the user object returned from the store.
9b09fd1c	300
89505ffb	301	=item crypted
a90296d4	302
89505ffb	303	The password in user is in UNIX crypt hashed format.
a90296d4	304
89505ffb	305	=item salted_hash
a90296d4	306
89505ffb	307	The password in user is in salted hash format, and will be validated
	308	using L<Crypt::SaltedHash>. If this password type is selected, you should
	309	also provide the B<password_salt_len> config element to define the salt length.
a90296d4	310
89505ffb	311	=item hashed
a90296d4	312
89505ffb	313	If the user object supports hashed passwords, they will be used in conjunction
89505ffb	314	with L<Digest>. The following config elements affect the hashed configuration:
a90296d4	315
89505ffb	316	=over 8
a90296d4	317
89505ffb	318	=item password_hash_type
a90296d4	319
89505ffb	320	The hash type used, passed directly to L<Digest/new>.
a90296d4	321
89505ffb	322	=item password_pre_salt
a90296d4	323
89505ffb	324	Any pre-salt data to be passed to L<Digest/add> before processing the password.
a90296d4	325
	326	=item password_post_salt
	327
89505ffb	328	Any post-salt data to be passed to L<Digest/add> after processing the password.
a90296d4	329
	330	=back
	331
89505ffb	332	=back
a90296d4	333
89505ffb	334	=back
a90296d4	335
89505ffb	336	=head1 USAGE
a90296d4	337
c5fbff80	338	The Password credential module is very simple to use. Once configured as
	339	indicated above, authenticating using this module is simply a matter of
	340	calling $c->authenticate() with an authinfo hashref that includes the
	341	B<password> element. The password element should contain the password supplied
	342	by the user to be authenticated, in clear text. The other information supplied
	343	in the auth hash is ignored by the Password module, and simply passed to the
	344	auth store to be used to retrieve the user. An example call follows:
a90296d4	345
89505ffb	346	if ($c->authenticate({ username => $username,
	347	password => $password} )) {
	348	# authentication successful
	349	} else {
	350	# authentication failed
	351	}
a90296d4	352
89505ffb	353	=head1 METHODS
a90296d4	354
89505ffb	355	There are no publicly exported routines in the Password module (or indeed in
	356	most credential modules.) However, below is a description of the routines
	357	required by L<Catalyst::Plugin::Authentication> for all credential modules.
a90296d4	358
	359	=over 4
	360
89505ffb	361	=item new ( $config, $app )
a90296d4	362
89505ffb	363	Instantiate a new Password object using the configuration hash provided in
	364	$config. A reference to the application is provided as the second argument.
	365	Note to credential module authors: new() is called during the application's
	366	plugin setup phase, which is before the application specific controllers are
	367	loaded. The practical upshot of this is that things like $c->model(...) will
	368	not function as expected.
a90296d4	369
89505ffb	370	=item authenticate ( $authinfo, $c )
a90296d4	371
89505ffb	372	Try to log a user in, receives a hashref containing authentication information
89505ffb	373	as the first argument, and the current context as the second.
a90296d4	374
89505ffb	375	=back