[catagits/Catalyst-Plugin-Authentication.git] / lib / Catalyst / Plugin / Authentication.pm

#!/usr/bin/perl

package Catalyst::Plugin::Authentication;

use base qw/Class::Accessor::Fast Class::Data::Inheritable/;

BEGIN {
    __PACKAGE__->mk_accessors(qw/_user/);
    __PACKAGE__->mk_classdata($_) for qw/_auth_stores _auth_store_names/;
}

use strict;
use warnings;

use Tie::RefHash;
use Class::Inspector;

# this optimization breaks under Template::Toolkit
# use user_exists instead
#BEGIN {
#	require constant;
#	constant->import(have_want => eval { require Want });
#}

our $VERSION = "0.09";

sub set_authenticated {
    my ( $c, $user ) = @_;

    $c->user($user);
    $c->request->{user} = $user;    # compatibility kludge

    if ( $c->_should_save_user_in_session($user) ) {
        $c->save_user_in_session($user);
    }

    $c->NEXT::set_authenticated($user);
}

sub _should_save_user_in_session {
    my ( $c, $user ) = @_;

    $c->_auth_sessions_supported
    and $c->config->{authentication}{use_session}
    and $user->supports("session");
}

sub _should_load_user_from_session {
    my ( $c, $user ) = @_;

    $c->_auth_sessions_supported
    and $c->config->{authentication}{use_session}
    and $c->session_is_valid;
}

sub _auth_sessions_supported {
    my $c = shift;
    $c->isa("Catalyst::Plugin::Session");
}

sub user {
    my $c = shift;

    if (@_) {
        return $c->_user(@_);
    }

    if ( defined(my $user = $c->_user) ) {
        return $user;
    } else {
        return $c->auth_restore_user;
    }
}

sub user_exists {
	my $c = shift;
	return defined($c->_user) || defined($c->_user_in_session);
}

sub save_user_in_session {
    my ( $c, $user ) = @_;

    my $store = $user->store || ref $user;
    $c->session->{__user_store} = $c->get_auth_store_name($store) || $store;
    $c->session->{__user} = $user->for_session;
}

sub logout {
    my $c = shift;

    $c->user(undef);

    if ( $c->_should_load_user_from_session ) {
        $c->_delete_user_from_session();
    }
    
    $c->NEXT::logout(@_);
}

sub _delete_user_from_session {
    my $c = shift;
    delete @{ $c->session }{qw/__user __user_store/};
}

sub get_user {
    my ( $c, $uid, @rest ) = @_;

    if ( my $store = $c->default_auth_store ) {
        return $store->get_user( $uid, @rest );
    }
    else {
        Catalyst::Exception->throw(
                "The user id $uid was passed to an authentication "
              . "plugin, but no default store was specified" );
    }
}

sub _user_in_session {
    my $c = shift;

    return unless $c->_should_load_user_from_session;

    return $c->session->{__user};
}

sub _store_in_session {
    my $c = shift;
    
    # we don't need verification, it's only called if _user_in_session returned something useful

    return $c->session->{__user_store};
}

sub auth_restore_user {
    my ( $c, $frozen_user, $store_name ) = @_;

    $frozen_user ||= $c->_user_in_session;
    return unless defined($frozen_user);

    $store_name  ||= $c->_store_in_session;
    return unless $store_name; # FIXME die unless? This is an internal inconsistency

    my $store = $c->get_auth_store($store_name);

    $c->_user( my $user = $store->from_session( $c, $frozen_user ) );

    return $user;

}

sub setup {
    my $c = shift;

    my $cfg = $c->config->{authentication} ||= {};

    %$cfg = (
        use_session => 1,
        %$cfg,
    );

    $c->register_auth_stores(
        default => $cfg->{store},
        %{ $cfg->{stores} || {} },
    );

    $c->NEXT::setup(@_);
}

sub get_auth_store {
    my ( $self, $name ) = @_;
    $self->auth_stores->{$name} || ( Class::Inspector->loaded($name) && $name );
}

sub get_auth_store_name {
    my ( $self, $store ) = @_;
    $self->auth_store_names->{$store};
}

sub register_auth_stores {
    my ( $self, %new ) = @_;

    foreach my $name ( keys %new ) {
        my $store = $new{$name} or next;
        $self->auth_stores->{$name}       = $store;
        $self->auth_store_names->{$store} = $name;
    }
}

sub auth_stores {
    my $self = shift;
    $self->_auth_stores(@_) || $self->_auth_stores( {} );
}

sub auth_store_names {
    my $self = shift;

    $self->_auth_store_names || do {
        tie my %hash, 'Tie::RefHash';
        $self->_auth_store_names( \%hash );
      }
}

sub default_auth_store {
    my $self = shift;

    if ( my $new = shift ) {
        $self->register_auth_stores( default => $new );
    }

    $self->get_auth_store("default");
}

__PACKAGE__;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Authentication - Infrastructure plugin for the Catalyst
authentication framework.

=head1 SYNOPSIS

    use Catalyst qw/
        Authentication
        Authentication::Store::Foo
        Authentication::Credential::Password
    /;

    # later on ...
    # ->login is provided by the Credential::Password module
    $c->login('myusername', 'mypassword');
    my $age = $c->user->age;
    $c->logout;

=head1 DESCRIPTION

The authentication plugin provides generic user support. It is the basis 
for both authentication (checking the user is who they claim to be), and 
authorization (allowing the user to do what the system authorises them to do).

Using authentication is split into two parts. A Store is used to actually 
store the user information, and can store any amount of data related to 
the user. Multiple stores can be accessed from within one application. 
Credentials are used to verify users, using the store, given data from 
the frontend.

To implement authentication in a Catalyst application you need to add this 
module, plus at least one store and one credential module.

Authentication data can also be stored in a session, if the application 
is using the L<Catalyst::Plugin::Session> module.

=head1 INTRODUCTION

=head2 The Authentication/Authorization Process

Web applications typically need to identify a user - to tell the user apart
from other users. This is usually done in order to display private information
that is only that user's business, or to limit access to the application so
that only certain entities can access certain parts.

This process is split up into several steps. First you ask the user to identify
themselves. At this point you can't be sure that the user is really who they
claim to be.

Then the user tells you who they are, and backs this claim with some piece of
information that only the real user could give you. For example, a password is
a secret that is known to both the user and you. When the user tells you this
password you can assume they're in on the secret and can be trusted (ignore
identity theft for now). Checking the password, or any other proof is called
B<credential verification>.

By this time you know exactly who the user is - the user's identity is
B<authenticated>. This is where this module's job stops, and other plugins step
in. The next logical step is B<authorization>, the process of deciding what a
user is (or isn't) allowed to do. For example, say your users are split into
two main groups - regular users and administrators. You should verify that the
currently logged in user is indeed an administrator before performing the
actions of an administrative part of your application. One way to do this is
with role based access control.

=head2 The Components In This Framework

=head3 Credential Verifiers

When user input is transferred to the L<Catalyst> application (typically via
form inputs) this data then enters the authentication framework through these
plugins.

These plugins check the data, and ensure that it really proves the user is who
they claim to be.

=head3 Storage Backends

The credentials also identify a user, and this family of modules is supposed to
take this identification data and return a standardized object oriented
representation of users.

When a user is retrieved from a store it is not necessarily authenticated.
Credential verifiers can either accept a user object, or fetch the object
themselves from the default store.

=head3 The Core Plugin

This plugin on its own is the glue, providing store registration, session
integration, and other goodness for the other plugins.

=head3 Other Plugins

More layers of plugins can be stacked on top of the authentication code. For
example, L<Catalyst::Plugin::Session::PerUser> provides an abstraction of
browser sessions that is more persistent per users.
L<Catalyst::Plugin::Authorization::Roles> provides an accepted way to separate
and group users into categories, and then check which categories the current
user belongs to.

=head1 EXAMPLE

Let's say we were storing users in an Apache style htpasswd file. Users are
stored in that file, with a hashed password and some extra comments. Users are
verified by supplying a password which is matched with the file.

This means that our application will begin like this:

    package MyApp;

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Store::Htpasswd
    /;

    __PACKAGE__->config->{authentication}{htpasswd} = "passwdfile";

This loads the appropriate methods and also sets the htpasswd store as the
default store.
    
So, now that we have the code loaded we need to get data from the user into the
credential verifier.

Let's create an authentication controller:

    package MyApp::Controller::Auth;

    sub login : Local {
        my ( $self, $c ) = @_;

        if (    my $user = $c->req->param("user")
            and my $password = $c->req->param("password") )
        {
            if ( $c->login( $user, $password ) ) {
                $c->res->body( "hello " . $c->user->name );
            } else {
                # login incorrect
            }
        }
        else {
            # invalid form input
        }
    }

This code should be very readable. If all the necessary fields are supplied,
call the L<Authentication::Credential::Password/login> method on the
controller. If that succeeds the user is logged in.

It could be simplified though:

    sub login : Local {
        my ( $self, $c ) = @_;

        if ( $c->login ) {
            ...
        }
    }

Since the C<login> method knows how to find logically named parameters on its
own.

The credential verifier will ask the default store to get the user whose ID is
the user parameter. In this case the default store is the htpasswd one. Once it
fetches the user from the store the password is checked and if it's OK
C<< $c->user >> will contain the user object returned from the htpasswd store.

We can also pass a user object to the credential verifier manually, if we have
several stores per app. This is discussed in
L<Catalyst::Plugin::Authentication::Store>.

Now imagine each admin user has a comment set in the htpasswd file saying
"admin".

A restricted action might look like this:

    sub restricted : Local {
        my ( $self, $c ) = @_;

        $c->detach("unauthorized")
          unless $c->user_exists
          and $c->user->extra_info() eq "admin";

        # do something restricted here
    }

This is somewhat similar to role based access control.
L<Catalyst::Plugin::Authentication::Store::Htpasswd> treats the extra info
field as a comma separated list of roles if it's treated that way. Let's
leverage this. Add the role authorization plugin:

    use Catalyst qw/
        ...
        Authorization::Roles
    /;

    sub restricted : Local {
        my ( $self, $c ) = @_;

        $c->detach("unauthorized") unless $c->check_roles("admin");

        # do something restricted here
    }

This is somewhat simpler and will work if you change your store, too, since the
role interface is consistent.

Let's say your app grew, and you now have 10000 users. It's no longer efficient
to maintain an htpasswd file, so you move this data to a database.

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Store::DBIC
        Authorization::Roles
    /;

    __PACKAGE__->config->{authentication}{dbic} = ...; # see the DBIC store docs

The rest of your code should be unchanged. Now let's say you are integrating
typekey authentication to your system. For simplicity's sake we'll assume that
the user's are still keyed in the same way.

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Credential::TypeKey
        Authentication::Store::DBIC
        Authorization::Roles
    /;

And in your auth controller add a new action:

    sub typekey : Local {
        my ( $self, $c ) = @_;

        if ( $c->authenticate_typekey) { # uses $c->req and Authen::TypeKey
            # same stuff as the $c->login method
            # ...
        }
    }

You've now added a new credential verification mechanizm orthogonally to the
other components. All you have to do is make sure that the credential verifiers
pass on the same types of parameters to the store in order to retrieve user
objects.

=head1 METHODS

=over 4 

=item user

Returns the currently logged in user or undef if there is none.

=item user_exists

Whether or not a user is logged in right now.

The reason this method exists is that C<< $c->user >> may needlessly load the
user from the auth store.

If you're just going to say

	if ( $c->user_exists ) {
		# foo
	} else {
		$c->forward("login");
	}

it should be more efficient than C<< $c->user >> when a user is marked in the
session but C<< $c->user >> hasn't been called yet.

=item logout

Delete the currently logged in user from C<user> and the session.

=item get_user $uid

Fetch a particular users details, defined by the given ID, via the default store.

=back

=head1 CONFIGURATION

=over 4

=item use_session

Whether or not to store the user's logged in state in the session, if the
application is also using the L<Catalyst::Plugin::Session> plugin. This 
value is set to true per default.

=item store

If multiple stores are being used, set the module you want as default here.

=item stores

If multiple stores are being used, you need to provide a name for each store
here, as a hash, the keys are the names you wish to use, and the values are
the the names of the plugins.

 # example
 __PACKAGE__->config( authentication => {
                        store => 'Catalyst::Plugin::Authentication::Store::HtPasswd',
                        stores => { 
                           'dbic' => 'Catalyst::Plugin::Authentication::Store::DBIC'
                                  }
                                         });

=back

=head1 METHODS FOR STORE MANAGEMENT

=over 4

=item default_auth_store

Return the store whose name is 'default'.

This is set to C<< $c->config->{authentication}{store} >> if that value exists,
or by using a Store plugin:

	use Catalyst qw/Authentication Authentication::Store::Minimal/;

Sets the default store to
L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.


=item get_auth_store $name

Return the store whose name is $name.

=item get_auth_store_name $store

Return the name of the store $store.

=item auth_stores

A hash keyed by name, with the stores registered in the app.

=item auth_store_names

A ref-hash keyed by store, which contains the names of the stores.

=item register_auth_stores %stores_by_name

Register stores into the application.

=back

=head1 INTERNAL METHODS

=over 4

=item set_authenticated $user

Marks a user as authenticated. Should be called from a
C<Catalyst::Plugin::Authentication::Credential> plugin after successful
authentication.

This involves setting C<user> and the internal data in C<session> if
L<Catalyst::Plugin::Session> is loaded.

=item auth_restore_user $user

Used to restore a user from the session, by C<user> only when it's actually
needed.

=item save_user_in_session $user

Used to save the user in a session.

=item prepare

Revives a user from the session object if there is one.

=item setup

Sets the default configuration parameters.

=item 

=back

=head1 SEE ALSO

This list might not be up to date.

=head2 User Storage Backends

L<Catalyst::Plugin::Authentication::Store::Minimal>,
L<Catalyst::Plugin::Authentication::Store::Htpasswd>,
L<Catalyst::Plugin::Authentication::Store::DBIC> (also works with Class::DBI).

=head2 Credential verification

L<Catalyst::Plugin::Authentication::Credential::Password>,
L<Catalyst::Plugin::Authentication::Credential::HTTP>,
L<Catalyst::Plugin::Authentication::Credential::TypeKey>

=head2 Authorization

L<Catalyst::Plugin::Authorization::ACL>,
L<Catalyst::Plugin::Authorization::Roles>

=head2 Internals Documentation

L<Catalyst::Plugin::Authentication::Store>

=head2 Misc

L<Catalyst::Plugin::Session>,
L<Catalyst::Plugin::Session::PerUser>

=head1 DON'T SEE ALSO

This module along with its sub plugins deprecate a great number of other
modules. These include L<Catalyst::Plugin::Authentication::Simple>,
L<Catalyst::Plugin::Authentication::CDBI>.

At the time of writing these plugins have not yet been replaced or updated, but
should be eventually: L<Catalyst::Plugin::Authentication::OpenID>,
L<Catalyst::Plugin::Authentication::LDAP>,
L<Catalyst::Plugin::Authentication::CDBI::Basic>,
L<Catalyst::Plugin::Authentication::Basic::Remote>.

=head1 AUTHORS

Yuval Kogman, C<nothingmuch@woobling.org>

Jess Robinson

David Kamholz

=head1 COPYRIGHT & LICENSE

        Copyright (c) 2005 the aforementioned authors. All rights
        reserved. This program is free software; you can redistribute
        it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
07e49bc7	1	#!/usr/bin/perl
	2
	3	package Catalyst::Plugin::Authentication;
	4
dde93f12	5	use base qw/Class::Accessor::Fast Class::Data::Inheritable/;
07e49bc7	6
dde93f12	7	BEGIN {
2e3b369c	8	__PACKAGE__->mk_accessors(qw/_user/);
8b52f75e	9	__PACKAGE__->mk_classdata($_) for qw/_auth_stores _auth_store_names/;
dde93f12	10	}
07e49bc7	11
	12	use strict;
	13	use warnings;
	14
8b52f75e	15	use Tie::RefHash;
f2fee7ad	16	use Class::Inspector;
8b52f75e	17
7605d422	18	# this optimization breaks under Template::Toolkit
7605d422	19	# use user_exists instead
c8c961f5	20	#BEGIN {
	21	# require constant;
	22	# constant->import(have_want => eval { require Want });
	23	#}
816e5745	24
9583def5	25	our $VERSION = "0.09";
49bd39d0	26
07e49bc7	27	sub set_authenticated {
	28	my ( $c, $user ) = @_;
	29
	30	$c->user($user);
f0348b1d	31	$c->request->{user} = $user; # compatibility kludge
07e49bc7	32
04c8c049	33	if ( $c->_should_save_user_in_session($user) ) {
f2fee7ad	34	$c->save_user_in_session($user);
07e49bc7	35	}
033d2c24	36
b260654c	37	$c->NEXT::set_authenticated($user);
07e49bc7	38	}
07e49bc7	39
04c8c049	40	sub _should_save_user_in_session {
	41	my ( $c, $user ) = @_;
	42
	43	$c->_auth_sessions_supported
	44	and $c->config->{authentication}{use_session}
	45	and $user->supports("session");
	46	}
	47
	48	sub _should_load_user_from_session {
	49	my ( $c, $user ) = @_;
	50
	51	$c->_auth_sessions_supported
	52	and $c->config->{authentication}{use_session}
	53	and $c->session_is_valid;
	54	}
	55
	56	sub _auth_sessions_supported {
	57	my $c = shift;
	58	$c->isa("Catalyst::Plugin::Session");
	59	}
	60
2e3b369c	61	sub user {
f0348b1d	62	my $c = shift;
2e3b369c	63
f0348b1d	64	if (@_) {
	65	return $c->_user(@_);
	66	}
2e3b369c	67
58009177	68	if ( defined(my $user = $c->_user) ) {
	69	return $user;
	70	} else {
d0d5fbef	71	return $c->auth_restore_user;
f0348b1d	72	}
2e3b369c	73	}
2e3b369c	74
1a2be169	75	sub user_exists {
1a2be169	76	my $c = shift;
30d5659d	77	return defined($c->_user) \|\| defined($c->_user_in_session);
58009177	78	}
58009177	79
f2fee7ad	80	sub save_user_in_session {
f0348b1d	81	my ( $c, $user ) = @_;
f2fee7ad	82
	83	my $store = $user->store \|\| ref $user;
	84	$c->session->{__user_store} = $c->get_auth_store_name($store) \|\| $store;
	85	$c->session->{__user} = $user->for_session;
	86	}
	87
07e49bc7	88	sub logout {
	89	my $c = shift;
	90
	91	$c->user(undef);
dde93f12	92
04c8c049	93	if ( $c->_should_load_user_from_session ) {
04c8c049	94	$c->_delete_user_from_session();
dde93f12	95	}
49df63da	96
49df63da	97	$c->NEXT::logout(@_);
07e49bc7	98	}
07e49bc7	99
04c8c049	100	sub _delete_user_from_session {
	101	my $c = shift;
	102	delete @{ $c->session }{qw/__user __user_store/};
	103	}
	104
5435c348	105	sub get_user {
56716182	106	my ( $c, $uid, @rest ) = @_;
5435c348	107
5435c348	108	if ( my $store = $c->default_auth_store ) {
56716182	109	return $store->get_user( $uid, @rest );
5435c348	110	}
	111	else {
	112	Catalyst::Exception->throw(
	113	"The user id $uid was passed to an authentication "
	114	. "plugin, but no default store was specified" );
	115	}
	116	}
	117
d0d5fbef	118	sub _user_in_session {
	119	my $c = shift;
	120
04c8c049	121	return unless $c->_should_load_user_from_session;
d0d5fbef	122
d0d5fbef	123	return $c->session->{__user};
04c8c049	124	}
d0d5fbef	125
04c8c049	126	sub _store_in_session {
	127	my $c = shift;
	128
	129	# we don't need verification, it's only called if _user_in_session returned something useful
	130
	131	return $c->session->{__user_store};
d0d5fbef	132	}
d0d5fbef	133
2e3b369c	134	sub auth_restore_user {
f0348b1d	135	my ( $c, $frozen_user, $store_name ) = @_;
2e3b369c	136
d0d5fbef	137	$frozen_user \|\|= $c->_user_in_session;
d0d5fbef	138	return unless defined($frozen_user);
b7a0db6d	139
04c8c049	140	$store_name \|\|= $c->_store_in_session;
9583def5	141	return unless $store_name; # FIXME die unless? This is an internal inconsistency
2e3b369c	142
f0348b1d	143	my $store = $c->get_auth_store($store_name);
04c8c049	144
f0348b1d	145	$c->_user( my $user = $store->from_session( $c, $frozen_user ) );
2e3b369c	146
f0348b1d	147	return $user;
2e3b369c	148
	149	}
	150
07e49bc7	151	sub setup {
	152	my $c = shift;
	153
04c8c049	154	my $cfg = $c->config->{authentication} \|\|= {};
07e49bc7	155
	156	%$cfg = (
	157	use_session => 1,
	158	%$cfg,
	159	);
dde93f12	160
f2fee7ad	161	$c->register_auth_stores(
	162	default => $cfg->{store},
	163	%{ $cfg->{stores} \|\| {} },
	164	);
8b52f75e	165
dde93f12	166	$c->NEXT::setup(@_);
07e49bc7	167	}
07e49bc7	168
8b52f75e	169	sub get_auth_store {
f2fee7ad	170	my ( $self, $name ) = @_;
f2fee7ad	171	$self->auth_stores->{$name} \|\| ( Class::Inspector->loaded($name) && $name );
8b52f75e	172	}
	173
	174	sub get_auth_store_name {
f2fee7ad	175	my ( $self, $store ) = @_;
f2fee7ad	176	$self->auth_store_names->{$store};
8b52f75e	177	}
	178
	179	sub register_auth_stores {
f2fee7ad	180	my ( $self, %new ) = @_;
8b52f75e	181
f2fee7ad	182	foreach my $name ( keys %new ) {
	183	my $store = $new{$name} or next;
	184	$self->auth_stores->{$name} = $store;
	185	$self->auth_store_names->{$store} = $name;
	186	}
8b52f75e	187	}
	188
	189	sub auth_stores {
f2fee7ad	190	my $self = shift;
f2fee7ad	191	$self->_auth_stores(@_) \|\| $self->_auth_stores( {} );
8b52f75e	192	}
	193
	194	sub auth_store_names {
f2fee7ad	195	my $self = shift;
8b52f75e	196
b7a0db6d	197	$self->_auth_store_names \|\| do {
f2fee7ad	198	tie my %hash, 'Tie::RefHash';
f2fee7ad	199	$self->_auth_store_names( \%hash );
b260654c	200	}
8b52f75e	201	}
	202
	203	sub default_auth_store {
f2fee7ad	204	my $self = shift;
8b52f75e	205
f2fee7ad	206	if ( my $new = shift ) {
	207	$self->register_auth_stores( default => $new );
	208	}
8b52f75e	209
f2fee7ad	210	$self->get_auth_store("default");
8b52f75e	211	}
8b52f75e	212
07e49bc7	213	__PACKAGE__;
	214
	215	__END__
	216
	217	=pod
	218
	219	=head1 NAME
	220
033d2c24	221	Catalyst::Plugin::Authentication - Infrastructure plugin for the Catalyst
033d2c24	222	authentication framework.
07e49bc7	223
	224	=head1 SYNOPSIS
	225
18a3c897	226	use Catalyst qw/
	227	Authentication
	228	Authentication::Store::Foo
	229	Authentication::Credential::Password
	230	/;
	231
	232	# later on ...
	233	# ->login is provided by the Credential::Password module
	234	$c->login('myusername', 'mypassword');
	235	my $age = $c->user->age;
	236	$c->logout;
07e49bc7	237
	238	=head1 DESCRIPTION
	239
14929a35	240	The authentication plugin provides generic user support. It is the basis
	241	for both authentication (checking the user is who they claim to be), and
	242	authorization (allowing the user to do what the system authorises them to do).
07e49bc7	243
14929a35	244	Using authentication is split into two parts. A Store is used to actually
	245	store the user information, and can store any amount of data related to
	246	the user. Multiple stores can be accessed from within one application.
	247	Credentials are used to verify users, using the store, given data from
	248	the frontend.
18a3c897	249
f0f9cd72	250	To implement authentication in a Catalyst application you need to add this
14929a35	251	module, plus at least one store and one credential module.
18a3c897	252
14929a35	253	Authentication data can also be stored in a session, if the application
14929a35	254	is using the L<Catalyst::Plugin::Session> module.
07e49bc7	255
e5108df9	256	=head1 INTRODUCTION
	257
	258	=head2 The Authentication/Authorization Process
	259
	260	Web applications typically need to identify a user - to tell the user apart
	261	from other users. This is usually done in order to display private information
	262	that is only that user's business, or to limit access to the application so
	263	that only certain entities can access certain parts.
	264
	265	This process is split up into several steps. First you ask the user to identify
	266	themselves. At this point you can't be sure that the user is really who they
	267	claim to be.
	268
f0f9cd72	269	Then the user tells you who they are, and backs this claim with some piece of
e5108df9	270	information that only the real user could give you. For example, a password is
	271	a secret that is known to both the user and you. When the user tells you this
	272	password you can assume they're in on the secret and can be trusted (ignore
	273	identity theft for now). Checking the password, or any other proof is called
	274	B<credential verification>.
	275
	276	By this time you know exactly who the user is - the user's identity is
	277	B<authenticated>. This is where this module's job stops, and other plugins step
	278	in. The next logical step is B<authorization>, the process of deciding what a
	279	user is (or isn't) allowed to do. For example, say your users are split into
	280	two main groups - regular users and administrators. You should verify that the
	281	currently logged in user is indeed an administrator before performing the
f0f9cd72	282	actions of an administrative part of your application. One way to do this is
e5108df9	283	with role based access control.
	284
	285	=head2 The Components In This Framework
	286
	287	=head3 Credential Verifiers
	288
	289	When user input is transferred to the L<Catalyst> application (typically via
	290	form inputs) this data then enters the authentication framework through these
	291	plugins.
	292
	293	These plugins check the data, and ensure that it really proves the user is who
	294	they claim to be.
	295
	296	=head3 Storage Backends
	297
	298	The credentials also identify a user, and this family of modules is supposed to
	299	take this identification data and return a standardized object oriented
	300	representation of users.
	301
	302	When a user is retrieved from a store it is not necessarily authenticated.
	303	Credential verifiers can either accept a user object, or fetch the object
	304	themselves from the default store.
	305
	306	=head3 The Core Plugin
	307
f0f9cd72	308	This plugin on its own is the glue, providing store registration, session
e5108df9	309	integration, and other goodness for the other plugins.
	310
	311	=head3 Other Plugins
	312
	313	More layers of plugins can be stacked on top of the authentication code. For
	314	example, L<Catalyst::Plugin::Session::PerUser> provides an abstraction of
	315	browser sessions that is more persistent per users.
	316	L<Catalyst::Plugin::Authorization::Roles> provides an accepted way to separate
	317	and group users into categories, and then check which categories the current
	318	user belongs to.
	319
caae740f	320	=head1 EXAMPLE
caae740f	321
f0f9cd72	322	Let's say we were storing users in an Apache style htpasswd file. Users are
	323	stored in that file, with a hashed password and some extra comments. Users are
	324	verified by supplying a password which is matched with the file.
caae740f	325
	326	This means that our application will begin like this:
	327
	328	package MyApp;
	329
	330	use Catalyst qw/
	331	Authentication
	332	Authentication::Credential::Password
	333	Authentication::Store::Htpasswd
	334	/;
	335
	336	__PACKAGE__->config->{authentication}{htpasswd} = "passwdfile";
	337
	338	This loads the appropriate methods and also sets the htpasswd store as the
	339	default store.
	340
	341	So, now that we have the code loaded we need to get data from the user into the
	342	credential verifier.
	343
	344	Let's create an authentication controller:
	345
	346	package MyApp::Controller::Auth;
	347
	348	sub login : Local {
	349	my ( $self, $c ) = @_;
	350
	351	if ( my $user = $c->req->param("user")
	352	and my $password = $c->req->param("password") )
	353	{
	354	if ( $c->login( $user, $password ) ) {
	355	$c->res->body( "hello " . $c->user->name );
	356	} else {
	357	# login incorrect
	358	}
	359	}
	360	else {
	361	# invalid form input
	362	}
	363	}
	364
	365	This code should be very readable. If all the necessary fields are supplied,
	366	call the L<Authentication::Credential::Password/login> method on the
	367	controller. If that succeeds the user is logged in.
	368
	369	It could be simplified though:
	370
	371	sub login : Local {
	372	my ( $self, $c ) = @_;
	373
	374	if ( $c->login ) {
	375	...
	376	}
	377	}
	378
0a630893	379	Since the C<login> method knows how to find logically named parameters on its
caae740f	380	own.
	381
	382	The credential verifier will ask the default store to get the user whose ID is
	383	the user parameter. In this case the default store is the htpasswd one. Once it
	384	fetches the user from the store the password is checked and if it's OK
	385	C<< $c->user >> will contain the user object returned from the htpasswd store.
	386
	387	We can also pass a user object to the credential verifier manually, if we have
	388	several stores per app. This is discussed in
	389	L<Catalyst::Plugin::Authentication::Store>.
	390
	391	Now imagine each admin user has a comment set in the htpasswd file saying
	392	"admin".
	393
	394	A restricted action might look like this:
	395
	396	sub restricted : Local {
	397	my ( $self, $c ) = @_;
	398
	399	$c->detach("unauthorized")
	400	unless $c->user_exists
	401	and $c->user->extra_info() eq "admin";
	402
	403	# do something restricted here
	404	}
	405
	406	This is somewhat similar to role based access control.
	407	L<Catalyst::Plugin::Authentication::Store::Htpasswd> treats the extra info
	408	field as a comma separated list of roles if it's treated that way. Let's
	409	leverage this. Add the role authorization plugin:
	410
	411	use Catalyst qw/
	412	...
	413	Authorization::Roles
	414	/;
	415
	416	sub restricted : Local {
	417	my ( $self, $c ) = @_;
	418
e96086b6	419	$c->detach("unauthorized") unless $c->check_roles("admin");
caae740f	420
	421	# do something restricted here
	422	}
	423
	424	This is somewhat simpler and will work if you change your store, too, since the
	425	role interface is consistent.
	426
	427	Let's say your app grew, and you now have 10000 users. It's no longer efficient
	428	to maintain an htpasswd file, so you move this data to a database.
	429
	430	use Catalyst qw/
	431	Authentication
	432	Authentication::Credential::Password
	433	Authentication::Store::DBIC
	434	Authorization::Roles
	435	/;
	436
	437	__PACKAGE__->config->{authentication}{dbic} = ...; # see the DBIC store docs
	438
	439	The rest of your code should be unchanged. Now let's say you are integrating
	440	typekey authentication to your system. For simplicity's sake we'll assume that
	441	the user's are still keyed in the same way.
	442
	443	use Catalyst qw/
	444	Authentication
	445	Authentication::Credential::Password
	446	Authentication::Credential::TypeKey
	447	Authentication::Store::DBIC
	448	Authorization::Roles
	449	/;
	450
	451	And in your auth controller add a new action:
	452
	453	sub typekey : Local {
	454	my ( $self, $c ) = @_;
	455
	456	if ( $c->authenticate_typekey) { # uses $c->req and Authen::TypeKey
	457	# same stuff as the $c->login method
	458	# ...
	459	}
	460	}
	461
	462	You've now added a new credential verification mechanizm orthogonally to the
	463	other components. All you have to do is make sure that the credential verifiers
	464	pass on the same types of parameters to the store in order to retrieve user
	465	objects.
	466
07e49bc7	467	=head1 METHODS
	468
	469	=over 4
	470
07e49bc7	471	=item user
07e49bc7	472
18a3c897	473	Returns the currently logged in user or undef if there is none.
07e49bc7	474
1a2be169	475	=item user_exists
	476
	477	Whether or not a user is logged in right now.
	478
4bc70618	479	The reason this method exists is that C<< $c->user >> may needlessly load the
1a2be169	480	user from the auth store.
	481
	482	If you're just going to say
	483
8f8b56b6	484	if ( $c->user_exists ) {
1a2be169	485	# foo
	486	} else {
	487	$c->forward("login");
	488	}
	489
8f8b56b6	490	it should be more efficient than C<< $c->user >> when a user is marked in the
8f8b56b6	491	session but C<< $c->user >> hasn't been called yet.
1a2be169	492
b7a0db6d	493	=item logout
	494
	495	Delete the currently logged in user from C<user> and the session.
	496
5435c348	497	=item get_user $uid
5435c348	498
18a3c897	499	Fetch a particular users details, defined by the given ID, via the default store.
	500
	501	=back
	502
	503	=head1 CONFIGURATION
	504
	505	=over 4
	506
	507	=item use_session
	508
	509	Whether or not to store the user's logged in state in the session, if the
14929a35	510	application is also using the L<Catalyst::Plugin::Session> plugin. This
	511	value is set to true per default.
	512
	513	=item store
	514
d61933f6	515	If multiple stores are being used, set the module you want as default here.
5435c348	516
d61933f6	517	=item stores
	518
	519	If multiple stores are being used, you need to provide a name for each store
	520	here, as a hash, the keys are the names you wish to use, and the values are
	521	the the names of the plugins.
	522
	523	# example
	524	__PACKAGE__->config( authentication => {
	525	store => 'Catalyst::Plugin::Authentication::Store::HtPasswd',
	526	stores => {
	527	'dbic' => 'Catalyst::Plugin::Authentication::Store::DBIC'
	528	}
	529	});
	530
51111c81	531	=back
d61933f6	532
b260654c	533	=head1 METHODS FOR STORE MANAGEMENT
b260654c	534
b12e226d	535	=over 4
b12e226d	536
5435c348	537	=item default_auth_store
5435c348	538
b260654c	539	Return the store whose name is 'default'.
5435c348	540
18a3c897	541	This is set to C<< $c->config->{authentication}{store} >> if that value exists,
b260654c	542	or by using a Store plugin:
	543
	544	use Catalyst qw/Authentication Authentication::Store::Minimal/;
	545
	546	Sets the default store to
	547	L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.
	548
816e5745	549
b260654c	550	=item get_auth_store $name
	551
	552	Return the store whose name is $name.
	553
	554	=item get_auth_store_name $store
	555
	556	Return the name of the store $store.
	557
	558	=item auth_stores
	559
	560	A hash keyed by name, with the stores registered in the app.
	561
	562	=item auth_store_names
	563
	564	A ref-hash keyed by store, which contains the names of the stores.
	565
	566	=item register_auth_stores %stores_by_name
	567
	568	Register stores into the application.
07e49bc7	569
b12e226d	570	=back
b12e226d	571
07e49bc7	572	=head1 INTERNAL METHODS
	573
	574	=over 4
	575
	576	=item set_authenticated $user
	577
	578	Marks a user as authenticated. Should be called from a
	579	C<Catalyst::Plugin::Authentication::Credential> plugin after successful
	580	authentication.
	581
	582	This involves setting C<user> and the internal data in C<session> if
	583	L<Catalyst::Plugin::Session> is loaded.
	584
f0348b1d	585	=item auth_restore_user $user
	586
	587	Used to restore a user from the session, by C<user> only when it's actually
	588	needed.
	589
	590	=item save_user_in_session $user
	591
	592	Used to save the user in a session.
	593
07e49bc7	594	=item prepare
	595
	596	Revives a user from the session object if there is one.
	597
	598	=item setup
	599
	600	Sets the default configuration parameters.
	601
	602	=item
	603
	604	=back
	605
36fba990	606	=head1 SEE ALSO
36fba990	607
e5108df9	608	This list might not be up to date.
	609
	610	=head2 User Storage Backends
	611
36fba990	612	L<Catalyst::Plugin::Authentication::Store::Minimal>,
e5108df9	613	L<Catalyst::Plugin::Authentication::Store::Htpasswd>,
	614	L<Catalyst::Plugin::Authentication::Store::DBIC> (also works with Class::DBI).
	615
	616	=head2 Credential verification
	617
	618	L<Catalyst::Plugin::Authentication::Credential::Password>,
	619	L<Catalyst::Plugin::Authentication::Credential::HTTP>,
	620	L<Catalyst::Plugin::Authentication::Credential::TypeKey>
	621
	622	=head2 Authorization
	623
36fba990	624	L<Catalyst::Plugin::Authorization::ACL>,
e5108df9	625	L<Catalyst::Plugin::Authorization::Roles>
e5108df9	626
caae740f	627	=head2 Internals Documentation
	628
	629	L<Catalyst::Plugin::Authentication::Store>
	630
e5108df9	631	=head2 Misc
	632
	633	L<Catalyst::Plugin::Session>,
	634	L<Catalyst::Plugin::Session::PerUser>
36fba990	635
d304b38a	636	=head1 DON'T SEE ALSO
d304b38a	637
1db33018	638	This module along with its sub plugins deprecate a great number of other
	639	modules. These include L<Catalyst::Plugin::Authentication::Simple>,
	640	L<Catalyst::Plugin::Authentication::CDBI>.
d304b38a	641
d304b38a	642	At the time of writing these plugins have not yet been replaced or updated, but
1db33018	643	should be eventually: L<Catalyst::Plugin::Authentication::OpenID>,
	644	L<Catalyst::Plugin::Authentication::LDAP>,
	645	L<Catalyst::Plugin::Authentication::CDBI::Basic>,
	646	L<Catalyst::Plugin::Authentication::Basic::Remote>.
d304b38a	647
51111c81	648	=head1 AUTHORS
36fba990	649
36fba990	650	Yuval Kogman, C<nothingmuch@woobling.org>
51111c81	651
7d4c2ed8	652	Jess Robinson
51111c81	653
7d4c2ed8	654	David Kamholz
07e49bc7	655
8f86f029	656	=head1 COPYRIGHT & LICENSE
36fba990	657
	658	Copyright (c) 2005 the aforementioned authors. All rights
	659	reserved. This program is free software; you can redistribute
	660	it and/or modify it under the same terms as Perl itself.
	661
	662	=cut
07e49bc7	663