[catagits/Catalyst-Plugin-Authentication.git] / lib / Catalyst / Plugin / Authentication.pm

#!/usr/bin/perl

package Catalyst::Plugin::Authentication;

use base qw/Class::Accessor::Fast Class::Data::Inheritable/;

BEGIN {
    __PACKAGE__->mk_accessors(qw/_user/);
    __PACKAGE__->mk_classdata($_) for qw/_auth_stores _auth_store_names/;
}

use strict;
use warnings;

use Tie::RefHash;
use Class::Inspector;

# this optimization breaks under Template::Toolkit
# use user_exists instead
#BEGIN {
#	require constant;
#	constant->import(have_want => eval { require Want });
#}

our $VERSION = "0.04";

sub set_authenticated {
    my ( $c, $user ) = @_;

    $c->user($user);
    $c->request->{user} = $user;    # compatibility kludge

    if (    $c->isa("Catalyst::Plugin::Session")
        and $c->config->{authentication}{use_session}
        and $user->supports("session") )
    {
        $c->save_user_in_session($user);
    }

    $c->NEXT::set_authenticated($user);
}

sub user {
    my $c = shift;

    if (@_) {
        return $c->_user(@_);
    }

    my $user = $c->_user;

    if ( $user and !Scalar::Util::blessed($user) ) {
#		return 1 if have_want() && Want::want("BOOL");
        return $c->auth_restore_user($user);
    }

    return $user;
}

sub user_exists {
	my $c = shift;
	return defined($c->_user);
}

sub save_user_in_session {
    my ( $c, $user ) = @_;

    my $store = $user->store || ref $user;
    $c->session->{__user_store} = $c->get_auth_store_name($store) || $store;
    $c->session->{__user} = $user->for_session;
}

sub logout {
    my $c = shift;

    $c->user(undef);

    if (    $c->isa("Catalyst::Plugin::Session")
        and $c->config->{authentication}{use_session} )
    {
        delete @{ $c->session }{qw/__user __user_store/};
    }
    
    $c->NEXT::logout(@_);
}

sub get_user {
    my ( $c, $uid ) = @_;

    if ( my $store = $c->default_auth_store ) {
        return $store->get_user($uid);
    }
    else {
        Catalyst::Exception->throw(
                "The user id $uid was passed to an authentication "
              . "plugin, but no default store was specified" );
    }
}

sub prepare {
    my $c = shift->NEXT::prepare(@_);

    if ( $c->isa("Catalyst::Plugin::Session")
        and !$c->user )
    {
        if ( $c->sessionid and my $frozen_user = $c->session->{__user} ) {
            $c->_user($frozen_user);
        }
    }

    return $c;
}

sub auth_restore_user {
    my ( $c, $frozen_user, $store_name ) = @_;

    return
      unless $c->isa("Catalyst::Plugin::Session")
      and $c->config->{authentication}{use_session}
      and $c->sessionid;

    $store_name  ||= $c->session->{__user_store};
    $frozen_user ||= $c->session->{__user};

    my $store = $c->get_auth_store($store_name);
    $c->_user( my $user = $store->from_session( $c, $frozen_user ) );

    return $user;

}

sub setup {
    my $c = shift;

    my $cfg = $c->config->{authentication} || {};

    %$cfg = (
        use_session => 1,
        %$cfg,
    );

    $c->register_auth_stores(
        default => $cfg->{store},
        %{ $cfg->{stores} || {} },
    );

    $c->NEXT::setup(@_);
}

sub get_auth_store {
    my ( $self, $name ) = @_;
    $self->auth_stores->{$name} || ( Class::Inspector->loaded($name) && $name );
}

sub get_auth_store_name {
    my ( $self, $store ) = @_;
    $self->auth_store_names->{$store};
}

sub register_auth_stores {
    my ( $self, %new ) = @_;

    foreach my $name ( keys %new ) {
        my $store = $new{$name} or next;
        $self->auth_stores->{$name}       = $store;
        $self->auth_store_names->{$store} = $name;
    }
}

sub auth_stores {
    my $self = shift;
    $self->_auth_stores(@_) || $self->_auth_stores( {} );
}

sub auth_store_names {
    my $self = shift;

    $self->_auth_store_names || do {
        tie my %hash, 'Tie::RefHash';
        $self->_auth_store_names( \%hash );
      }
}

sub default_auth_store {
    my $self = shift;

    if ( my $new = shift ) {
        $self->register_auth_stores( default => $new );
    }

    $self->get_auth_store("default");
}

__PACKAGE__;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Authentication - Infrastructure plugin for the Catalyst
authentication framework.

=head1 SYNOPSIS

    use Catalyst qw/
        Authentication
        Authentication::Store::Foo
        Authentication::Credential::Password
    /;

    # later on ...
    # ->login is provided by the Credential::Password module
    $c->login('myusername', 'mypassword');
    my $age = $c->user->age;
    $c->logout;

=head1 DESCRIPTION

The authentication plugin provides generic user support. It is the basis 
for both authentication (checking the user is who they claim to be), and 
authorization (allowing the user to do what the system authorises them to do).

Using authentication is split into two parts. A Store is used to actually 
store the user information, and can store any amount of data related to 
the user. Multiple stores can be accessed from within one application. 
Credentials are used to verify users, using the store, given data from 
the frontend.

To implement authentication in a catalyst application you need to add this 
module, plus at least one store and one credential module.

Authentication data can also be stored in a session, if the application 
is using the L<Catalyst::Plugin::Session> module.

=head1 INTRODUCTION

=head2 The Authentication/Authorization Process

Web applications typically need to identify a user - to tell the user apart
from other users. This is usually done in order to display private information
that is only that user's business, or to limit access to the application so
that only certain entities can access certain parts.

This process is split up into several steps. First you ask the user to identify
themselves. At this point you can't be sure that the user is really who they
claim to be.

Then the user tells you who they are, and backs this claim with some peice of
information that only the real user could give you. For example, a password is
a secret that is known to both the user and you. When the user tells you this
password you can assume they're in on the secret and can be trusted (ignore
identity theft for now). Checking the password, or any other proof is called
B<credential verification>.

By this time you know exactly who the user is - the user's identity is
B<authenticated>. This is where this module's job stops, and other plugins step
in. The next logical step is B<authorization>, the process of deciding what a
user is (or isn't) allowed to do. For example, say your users are split into
two main groups - regular users and administrators. You should verify that the
currently logged in user is indeed an administrator before performing the
actions of an administrative part of your apploication. One way to do this is
with role based access control.

=head2 The Components In This Framework

=head3 Credential Verifiers

When user input is transferred to the L<Catalyst> application (typically via
form inputs) this data then enters the authentication framework through these
plugins.

These plugins check the data, and ensure that it really proves the user is who
they claim to be.

=head3 Storage Backends

The credentials also identify a user, and this family of modules is supposed to
take this identification data and return a standardized object oriented
representation of users.

When a user is retrieved from a store it is not necessarily authenticated.
Credential verifiers can either accept a user object, or fetch the object
themselves from the default store.

=head3 The Core Plugin

This plugin on it's own is the glue, providing store registration, session
integration, and other goodness for the other plugins.

=head3 Other Plugins

More layers of plugins can be stacked on top of the authentication code. For
example, L<Catalyst::Plugin::Session::PerUser> provides an abstraction of
browser sessions that is more persistent per users.
L<Catalyst::Plugin::Authorization::Roles> provides an accepted way to separate
and group users into categories, and then check which categories the current
user belongs to.

=head1 EXAMPLE

Let's say we were storing users in an apache style htpasswd file. The way users
are stored is in that file, with a hashed password and some extra comments. The
way users are verified is by supplying a password which is matched with the
file.

This means that our application will begin like this:

    package MyApp;

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Store::Htpasswd
    /;

    __PACKAGE__->config->{authentication}{htpasswd} = "passwdfile";

This loads the appropriate methods and also sets the htpasswd store as the
default store.
    
So, now that we have the code loaded we need to get data from the user into the
credential verifier.

Let's create an authentication controller:

    package MyApp::Controller::Auth;

    sub login : Local {
        my ( $self, $c ) = @_;

        if (    my $user = $c->req->param("user")
            and my $password = $c->req->param("password") )
        {
            if ( $c->login( $user, $password ) ) {
                $c->res->body( "hello " . $c->user->name );
            } else {
                # login incorrect
            }
        }
        else {
            # invalid form input
        }
    }

This code should be very readable. If all the necessary fields are supplied,
call the L<Authentication::Credential::Password/login> method on the
controller. If that succeeds the user is logged in.

It could be simplified though:

    sub login : Local {
        my ( $self, $c ) = @_;

        if ( $c->login ) {
            ...
        }
    }

Since the C<login> method knows how to find logically named parameters on it's
own.

The credential verifier will ask the default store to get the user whose ID is
the user parameter. In this case the default store is the htpasswd one. Once it
fetches the user from the store the password is checked and if it's OK
C<< $c->user >> will contain the user object returned from the htpasswd store.

We can also pass a user object to the credential verifier manually, if we have
several stores per app. This is discussed in
L<Catalyst::Plugin::Authentication::Store>.

Now imagine each admin user has a comment set in the htpasswd file saying
"admin".

A restricted action might look like this:

    sub restricted : Local {
        my ( $self, $c ) = @_;

        $c->detach("unauthorized")
          unless $c->user_exists
          and $c->user->extra_info() eq "admin";

        # do something restricted here
    }

This is somewhat similar to role based access control.
L<Catalyst::Plugin::Authentication::Store::Htpasswd> treats the extra info
field as a comma separated list of roles if it's treated that way. Let's
leverage this. Add the role authorization plugin:

    use Catalyst qw/
        ...
        Authorization::Roles
    /;

    sub restricted : Local {
        my ( $self, $c ) = @_;

        $c->detach("unauthorized") unless $c->check_roles("admin");

        # do something restricted here
    }

This is somewhat simpler and will work if you change your store, too, since the
role interface is consistent.

Let's say your app grew, and you now have 10000 users. It's no longer efficient
to maintain an htpasswd file, so you move this data to a database.

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Store::DBIC
        Authorization::Roles
    /;

    __PACKAGE__->config->{authentication}{dbic} = ...; # see the DBIC store docs

The rest of your code should be unchanged. Now let's say you are integrating
typekey authentication to your system. For simplicity's sake we'll assume that
the user's are still keyed in the same way.

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Credential::TypeKey
        Authentication::Store::DBIC
        Authorization::Roles
    /;

And in your auth controller add a new action:

    sub typekey : Local {
        my ( $self, $c ) = @_;

        if ( $c->authenticate_typekey) { # uses $c->req and Authen::TypeKey
            # same stuff as the $c->login method
            # ...
        }
    }

You've now added a new credential verification mechanizm orthogonally to the
other components. All you have to do is make sure that the credential verifiers
pass on the same types of parameters to the store in order to retrieve user
objects.

=head1 METHODS

=over 4 

=item user

Returns the currently logged in user or undef if there is none.

=item user_exists

Whether or not a user is logged in right now.

The reason this method exists is that C<< $c->user >> may needlessly load the
user from the auth store.

If you're just going to say

	if ( $c->user_user ) {
		# foo
	} else {
		$c->forward("login");
	}

it should be more efficient than C<< $c->user >> when a user is marked in the session
but C<< $c->user >> hasn't been called yet.

=item logout

Delete the currently logged in user from C<user> and the session.

=item get_user $uid

Fetch a particular users details, defined by the given ID, via the default store.

=back

=head1 CONFIGURATION

=over 4

=item use_session

Whether or not to store the user's logged in state in the session, if the
application is also using the L<Catalyst::Plugin::Session> plugin. This 
value is set to true per default.

=item store

If multiple stores are being used, set the module you want as default here.

=item stores

If multiple stores are being used, you need to provide a name for each store
here, as a hash, the keys are the names you wish to use, and the values are
the the names of the plugins.

 # example
 __PACKAGE__->config( authentication => {
                        store => 'Catalyst::Plugin::Authentication::Store::HtPasswd',
                        stores => { 
                           'dbic' => 'Catalyst::Plugin::Authentication::Store::DBIC'
                                  }
                                         });

=back

=head1 METHODS FOR STORE MANAGEMENT

=over 4

=item default_auth_store

Return the store whose name is 'default'.

This is set to C<< $c->config->{authentication}{store} >> if that value exists,
or by using a Store plugin:

	use Catalyst qw/Authentication Authentication::Store::Minimal/;

Sets the default store to
L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.


=item get_auth_store $name

Return the store whose name is $name.

=item get_auth_store_name $store

Return the name of the store $store.

=item auth_stores

A hash keyed by name, with the stores registered in the app.

=item auth_store_names

A ref-hash keyed by store, which contains the names of the stores.

=item register_auth_stores %stores_by_name

Register stores into the application.

=back

=head1 INTERNAL METHODS

=over 4

=item set_authenticated $user

Marks a user as authenticated. Should be called from a
C<Catalyst::Plugin::Authentication::Credential> plugin after successful
authentication.

This involves setting C<user> and the internal data in C<session> if
L<Catalyst::Plugin::Session> is loaded.

=item auth_restore_user $user

Used to restore a user from the session, by C<user> only when it's actually
needed.

=item save_user_in_session $user

Used to save the user in a session.

=item prepare

Revives a user from the session object if there is one.

=item setup

Sets the default configuration parameters.

=item 

=back

=head1 SEE ALSO

This list might not be up to date.

=head2 User Storage Backends

L<Catalyst::Plugin::Authentication::Store::Minimal>,
L<Catalyst::Plugin::Authentication::Store::Htpasswd>,
L<Catalyst::Plugin::Authentication::Store::DBIC> (also works with Class::DBI).

=head2 Credential verification

L<Catalyst::Plugin::Authentication::Credential::Password>,
L<Catalyst::Plugin::Authentication::Credential::HTTP>,
L<Catalyst::Plugin::Authentication::Credential::TypeKey>

=head2 Authorization

L<Catalyst::Plugin::Authorization::ACL>,
L<Catalyst::Plugin::Authorization::Roles>

=head2 Internals Documentation

L<Catalyst::Plugin::Authentication::Store>

=head2 Misc

L<Catalyst::Plugin::Session>,
L<Catalyst::Plugin::Session::PerUser>

=head1 DON'T SEE ALSO

This module along with it's sub plugins deprecate a great number of other
modules. These include Catalyst::Plugin::Authentication::Simple,
Catalyst::Plugin::Authentication::CDBI.

At the time of writing these plugins have not yet been replaced or updated, but
should be eventually: Catalyst::Plugin::Authentication::OpenID,
Catalyst::Plugin::Authentication::LDAP,
Catalyst::Plugin::Authentication::CDBI::Basic,
Catalyst::Plugin::Authentication::Basic::Remote

=head1 AUTHORS

Yuval Kogman, C<nothingmuch@woobling.org>

Jess Robinson

David Kamholz

=head1 COPYRIGHT & LICENSE

        Copyright (c) 2005 the aforementioned authors. All rights
        reserved. This program is free software; you can redistribute
        it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
06675d2e	1	#!/usr/bin/perl
	2
	3	package Catalyst::Plugin::Authentication;
	4
b003080b	5	use base qw/Class::Accessor::Fast Class::Data::Inheritable/;
06675d2e	6
b003080b	7	BEGIN {
7bb06c91	8	__PACKAGE__->mk_accessors(qw/_user/);
96777f3a	9	__PACKAGE__->mk_classdata($_) for qw/_auth_stores _auth_store_names/;
b003080b	10	}
06675d2e	11
	12	use strict;
	13	use warnings;
	14
96777f3a	15	use Tie::RefHash;
12dae309	16	use Class::Inspector;
96777f3a	17
bbf1cb39	18	# this optimization breaks under Template::Toolkit
bbf1cb39	19	# use user_exists instead
e145babc	20	#BEGIN {
	21	# require constant;
	22	# constant->import(have_want => eval { require Want });
	23	#}
a1e5bd36	24
bbf1cb39	25	our $VERSION = "0.04";
c7c003d3	26
06675d2e	27	sub set_authenticated {
	28	my ( $c, $user ) = @_;
	29
	30	$c->user($user);
e300c5b6	31	$c->request->{user} = $user; # compatibility kludge
06675d2e	32
06675d2e	33	if ( $c->isa("Catalyst::Plugin::Session")
96777f3a	34	and $c->config->{authentication}{use_session}
12dae309	35	and $user->supports("session") )
06675d2e	36	{
12dae309	37	$c->save_user_in_session($user);
06675d2e	38	}
55395841	39
4fbe2e14	40	$c->NEXT::set_authenticated($user);
06675d2e	41	}
06675d2e	42
7bb06c91	43	sub user {
e300c5b6	44	my $c = shift;
7bb06c91	45
e300c5b6	46	if (@_) {
	47	return $c->_user(@_);
	48	}
7bb06c91	49
e300c5b6	50	my $user = $c->_user;
7bb06c91	51
e300c5b6	52	if ( $user and !Scalar::Util::blessed($user) ) {
cde43a59	53	# return 1 if have_want() && Want::want("BOOL");
e300c5b6	54	return $c->auth_restore_user($user);
e300c5b6	55	}
7bb06c91	56
e300c5b6	57	return $user;
7bb06c91	58	}
7bb06c91	59
ce0b058d	60	sub user_exists {
	61	my $c = shift;
	62	return defined($c->_user);
	63	}
	64
12dae309	65	sub save_user_in_session {
e300c5b6	66	my ( $c, $user ) = @_;
12dae309	67
	68	my $store = $user->store \|\| ref $user;
	69	$c->session->{__user_store} = $c->get_auth_store_name($store) \|\| $store;
	70	$c->session->{__user} = $user->for_session;
	71	}
	72
06675d2e	73	sub logout {
	74	my $c = shift;
	75
	76	$c->user(undef);
b003080b	77
	78	if ( $c->isa("Catalyst::Plugin::Session")
	79	and $c->config->{authentication}{use_session} )
	80	{
96777f3a	81	delete @{ $c->session }{qw/__user __user_store/};
b003080b	82	}
351e2a82	83
351e2a82	84	$c->NEXT::logout(@_);
06675d2e	85	}
06675d2e	86
7d0922d8	87	sub get_user {
	88	my ( $c, $uid ) = @_;
	89
	90	if ( my $store = $c->default_auth_store ) {
	91	return $store->get_user($uid);
	92	}
	93	else {
	94	Catalyst::Exception->throw(
	95	"The user id $uid was passed to an authentication "
	96	. "plugin, but no default store was specified" );
	97	}
	98	}
	99
06675d2e	100	sub prepare {
	101	my $c = shift->NEXT::prepare(@_);
	102
4fbe2e14	103	if ( $c->isa("Catalyst::Plugin::Session")
06675d2e	104	and !$c->user )
06675d2e	105	{
7bb06c91	106	if ( $c->sessionid and my $frozen_user = $c->session->{__user} ) {
e300c5b6	107	$c->_user($frozen_user);
06675d2e	108	}
	109	}
	110
	111	return $c;
	112	}
	113
7bb06c91	114	sub auth_restore_user {
e300c5b6	115	my ( $c, $frozen_user, $store_name ) = @_;
7bb06c91	116
4fbe2e14	117	return
cde43a59	118	unless $c->isa("Catalyst::Plugin::Session")
4fbe2e14	119	and $c->config->{authentication}{use_session}
4fbe2e14	120	and $c->sessionid;
4402d92d	121
e300c5b6	122	$store_name \|\|= $c->session->{__user_store};
e300c5b6	123	$frozen_user \|\|= $c->session->{__user};
7bb06c91	124
e300c5b6	125	my $store = $c->get_auth_store($store_name);
e300c5b6	126	$c->_user( my $user = $store->from_session( $c, $frozen_user ) );
7bb06c91	127
e300c5b6	128	return $user;
7bb06c91	129
	130	}
	131
06675d2e	132	sub setup {
	133	my $c = shift;
	134
712a35bf	135	my $cfg = $c->config->{authentication} \|\| {};
06675d2e	136
	137	%$cfg = (
	138	use_session => 1,
	139	%$cfg,
	140	);
b003080b	141
12dae309	142	$c->register_auth_stores(
	143	default => $cfg->{store},
	144	%{ $cfg->{stores} \|\| {} },
	145	);
96777f3a	146
b003080b	147	$c->NEXT::setup(@_);
06675d2e	148	}
06675d2e	149
96777f3a	150	sub get_auth_store {
12dae309	151	my ( $self, $name ) = @_;
12dae309	152	$self->auth_stores->{$name} \|\| ( Class::Inspector->loaded($name) && $name );
96777f3a	153	}
	154
	155	sub get_auth_store_name {
12dae309	156	my ( $self, $store ) = @_;
12dae309	157	$self->auth_store_names->{$store};
96777f3a	158	}
	159
	160	sub register_auth_stores {
12dae309	161	my ( $self, %new ) = @_;
96777f3a	162
12dae309	163	foreach my $name ( keys %new ) {
	164	my $store = $new{$name} or next;
	165	$self->auth_stores->{$name} = $store;
	166	$self->auth_store_names->{$store} = $name;
	167	}
96777f3a	168	}
	169
	170	sub auth_stores {
12dae309	171	my $self = shift;
12dae309	172	$self->_auth_stores(@_) \|\| $self->_auth_stores( {} );
96777f3a	173	}
	174
	175	sub auth_store_names {
12dae309	176	my $self = shift;
96777f3a	177
4402d92d	178	$self->_auth_store_names \|\| do {
12dae309	179	tie my %hash, 'Tie::RefHash';
12dae309	180	$self->_auth_store_names( \%hash );
4fbe2e14	181	}
96777f3a	182	}
	183
	184	sub default_auth_store {
12dae309	185	my $self = shift;
96777f3a	186
12dae309	187	if ( my $new = shift ) {
	188	$self->register_auth_stores( default => $new );
	189	}
96777f3a	190
12dae309	191	$self->get_auth_store("default");
96777f3a	192	}
96777f3a	193
06675d2e	194	__PACKAGE__;
	195
	196	__END__
	197
	198	=pod
	199
	200	=head1 NAME
	201
55395841	202	Catalyst::Plugin::Authentication - Infrastructure plugin for the Catalyst
55395841	203	authentication framework.
06675d2e	204
	205	=head1 SYNOPSIS
	206
189b5b0c	207	use Catalyst qw/
	208	Authentication
	209	Authentication::Store::Foo
	210	Authentication::Credential::Password
	211	/;
	212
	213	# later on ...
	214	# ->login is provided by the Credential::Password module
	215	$c->login('myusername', 'mypassword');
	216	my $age = $c->user->age;
	217	$c->logout;
06675d2e	218
	219	=head1 DESCRIPTION
	220
e7522758	221	The authentication plugin provides generic user support. It is the basis
	222	for both authentication (checking the user is who they claim to be), and
	223	authorization (allowing the user to do what the system authorises them to do).
06675d2e	224
e7522758	225	Using authentication is split into two parts. A Store is used to actually
	226	store the user information, and can store any amount of data related to
	227	the user. Multiple stores can be accessed from within one application.
	228	Credentials are used to verify users, using the store, given data from
	229	the frontend.
189b5b0c	230
e7522758	231	To implement authentication in a catalyst application you need to add this
e7522758	232	module, plus at least one store and one credential module.
189b5b0c	233
e7522758	234	Authentication data can also be stored in a session, if the application
e7522758	235	is using the L<Catalyst::Plugin::Session> module.
06675d2e	236
4bb9b01c	237	=head1 INTRODUCTION
	238
	239	=head2 The Authentication/Authorization Process
	240
	241	Web applications typically need to identify a user - to tell the user apart
	242	from other users. This is usually done in order to display private information
	243	that is only that user's business, or to limit access to the application so
	244	that only certain entities can access certain parts.
	245
	246	This process is split up into several steps. First you ask the user to identify
	247	themselves. At this point you can't be sure that the user is really who they
	248	claim to be.
	249
	250	Then the user tells you who they are, and backs this claim with some peice of
	251	information that only the real user could give you. For example, a password is
	252	a secret that is known to both the user and you. When the user tells you this
	253	password you can assume they're in on the secret and can be trusted (ignore
	254	identity theft for now). Checking the password, or any other proof is called
	255	B<credential verification>.
	256
	257	By this time you know exactly who the user is - the user's identity is
	258	B<authenticated>. This is where this module's job stops, and other plugins step
	259	in. The next logical step is B<authorization>, the process of deciding what a
	260	user is (or isn't) allowed to do. For example, say your users are split into
	261	two main groups - regular users and administrators. You should verify that the
	262	currently logged in user is indeed an administrator before performing the
	263	actions of an administrative part of your apploication. One way to do this is
	264	with role based access control.
	265
	266	=head2 The Components In This Framework
	267
	268	=head3 Credential Verifiers
	269
	270	When user input is transferred to the L<Catalyst> application (typically via
	271	form inputs) this data then enters the authentication framework through these
	272	plugins.
	273
	274	These plugins check the data, and ensure that it really proves the user is who
	275	they claim to be.
	276
	277	=head3 Storage Backends
	278
	279	The credentials also identify a user, and this family of modules is supposed to
	280	take this identification data and return a standardized object oriented
	281	representation of users.
	282
	283	When a user is retrieved from a store it is not necessarily authenticated.
	284	Credential verifiers can either accept a user object, or fetch the object
	285	themselves from the default store.
	286
	287	=head3 The Core Plugin
	288
	289	This plugin on it's own is the glue, providing store registration, session
	290	integration, and other goodness for the other plugins.
	291
	292	=head3 Other Plugins
	293
	294	More layers of plugins can be stacked on top of the authentication code. For
	295	example, L<Catalyst::Plugin::Session::PerUser> provides an abstraction of
	296	browser sessions that is more persistent per users.
	297	L<Catalyst::Plugin::Authorization::Roles> provides an accepted way to separate
	298	and group users into categories, and then check which categories the current
	299	user belongs to.
	300
5e91c057	301	=head1 EXAMPLE
	302
	303	Let's say we were storing users in an apache style htpasswd file. The way users
	304	are stored is in that file, with a hashed password and some extra comments. The
	305	way users are verified is by supplying a password which is matched with the
	306	file.
	307
	308	This means that our application will begin like this:
	309
	310	package MyApp;
	311
	312	use Catalyst qw/
	313	Authentication
	314	Authentication::Credential::Password
	315	Authentication::Store::Htpasswd
	316	/;
	317
	318	__PACKAGE__->config->{authentication}{htpasswd} = "passwdfile";
	319
	320	This loads the appropriate methods and also sets the htpasswd store as the
	321	default store.
	322
	323	So, now that we have the code loaded we need to get data from the user into the
	324	credential verifier.
	325
	326	Let's create an authentication controller:
	327
	328	package MyApp::Controller::Auth;
	329
	330	sub login : Local {
	331	my ( $self, $c ) = @_;
	332
	333	if ( my $user = $c->req->param("user")
	334	and my $password = $c->req->param("password") )
	335	{
	336	if ( $c->login( $user, $password ) ) {
	337	$c->res->body( "hello " . $c->user->name );
	338	} else {
	339	# login incorrect
	340	}
	341	}
	342	else {
	343	# invalid form input
	344	}
	345	}
	346
	347	This code should be very readable. If all the necessary fields are supplied,
	348	call the L<Authentication::Credential::Password/login> method on the
	349	controller. If that succeeds the user is logged in.
	350
	351	It could be simplified though:
	352
	353	sub login : Local {
	354	my ( $self, $c ) = @_;
	355
	356	if ( $c->login ) {
	357	...
	358	}
	359	}
	360
	361	Since the C<login> method knows how to find logically named parameters on it's
	362	own.
	363
	364	The credential verifier will ask the default store to get the user whose ID is
365	the user parameter. In this case the default store is the htpasswd one. Once it
366	fetches the user from the store the password is checked and if it's OK
367	C<< $c->user >> will contain the user object returned from the htpasswd store.
368
369	We can also pass a user object to the credential verifier manually, if we have
370	several stores per app. This is discussed in
371	L<Catalyst::Plugin::Authentication::Store>.
372
373	Now imagine each admin user has a comment set in the htpasswd file saying
374	"admin".
375
376	A restricted action might look like this:
377
378	sub restricted : Local {
379	my ( $self, $c ) = @_;
380
381	$c->detach("unauthorized")
382	unless $c->user_exists
383	and $c->user->extra_info() eq "admin";
384
385	# do something restricted here
386	}
387
388	This is somewhat similar to role based access control.
389	L<Catalyst::Plugin::Authentication::Store::Htpasswd> treats the extra info
390	field as a comma separated list of roles if it's treated that way. Let's
391	leverage this. Add the role authorization plugin:
392
393	use Catalyst qw/
394	...
395	Authorization::Roles
396	/;
397
398	sub restricted : Local {
399	my ( $self, $c ) = @_;
400
401	$c->detach("unauthorized") unless $c->check_roles("admin");
402
403	# do something restricted here
404	}
405
406	This is somewhat simpler and will work if you change your store, too, since the
407	role interface is consistent.
408
409	Let's say your app grew, and you now have 10000 users. It's no longer efficient
410	to maintain an htpasswd file, so you move this data to a database.
411
412	use Catalyst qw/
413	Authentication
414	Authentication::Credential::Password
415	Authentication::Store::DBIC
416	Authorization::Roles
417	/;
418
419	__PACKAGE__->config->{authentication}{dbic} = ...; # see the DBIC store docs
420
421	The rest of your code should be unchanged. Now let's say you are integrating
422	typekey authentication to your system. For simplicity's sake we'll assume that
423	the user's are still keyed in the same way.
424
425	use Catalyst qw/
426	Authentication
427	Authentication::Credential::Password
428	Authentication::Credential::TypeKey
429	Authentication::Store::DBIC
430	Authorization::Roles
431	/;
432
433	And in your auth controller add a new action:
434
435	sub typekey : Local {
436	my ( $self, $c ) = @_;
437
438	if ( $c->authenticate_typekey) { # uses $c->req and Authen::TypeKey
439	# same stuff as the $c->login method
440	# ...
441	}
442	}
443
444	You've now added a new credential verification mechanizm orthogonally to the
445	other components. All you have to do is make sure that the credential verifiers
446	pass on the same types of parameters to the store in order to retrieve user
447	objects.
448
06675d2e	449	=head1 METHODS
	450
	451	=over 4
	452
06675d2e	453	=item user
06675d2e	454
189b5b0c	455	Returns the currently logged in user or undef if there is none.
06675d2e	456
ce0b058d	457	=item user_exists
	458
	459	Whether or not a user is logged in right now.
	460
8bcb3a4b	461	The reason this method exists is that C<< $c->user >> may needlessly load the
ce0b058d	462	user from the auth store.
	463
	464	If you're just going to say
	465
	466	if ( $c->user_user ) {
	467	# foo
	468	} else {
	469	$c->forward("login");
	470	}
	471
8bcb3a4b	472	it should be more efficient than C<< $c->user >> when a user is marked in the session
1e055395	473	but C<< $c->user >> hasn't been called yet.
ce0b058d	474
4402d92d	475	=item logout
	476
	477	Delete the currently logged in user from C<user> and the session.
	478
7d0922d8	479	=item get_user $uid
7d0922d8	480
189b5b0c	481	Fetch a particular users details, defined by the given ID, via the default store.
	482
	483	=back
	484
	485	=head1 CONFIGURATION
	486
	487	=over 4
	488
	489	=item use_session
	490
	491	Whether or not to store the user's logged in state in the session, if the
e7522758	492	application is also using the L<Catalyst::Plugin::Session> plugin. This
	493	value is set to true per default.
	494
	495	=item store
	496
1e055395	497	If multiple stores are being used, set the module you want as default here.
7d0922d8	498
1e055395	499	=item stores
	500
	501	If multiple stores are being used, you need to provide a name for each store
	502	here, as a hash, the keys are the names you wish to use, and the values are
	503	the the names of the plugins.
	504
	505	# example
	506	__PACKAGE__->config( authentication => {
	507	store => 'Catalyst::Plugin::Authentication::Store::HtPasswd',
	508	stores => {
	509	'dbic' => 'Catalyst::Plugin::Authentication::Store::DBIC'
	510	}
	511	});
	512
2bcde605	513	=back
1e055395	514
4fbe2e14	515	=head1 METHODS FOR STORE MANAGEMENT
4fbe2e14	516
fe4cf44a	517	=over 4
fe4cf44a	518
7d0922d8	519	=item default_auth_store
7d0922d8	520
4fbe2e14	521	Return the store whose name is 'default'.
7d0922d8	522
189b5b0c	523	This is set to C<< $c->config->{authentication}{store} >> if that value exists,
4fbe2e14	524	or by using a Store plugin:
	525
	526	use Catalyst qw/Authentication Authentication::Store::Minimal/;
	527
	528	Sets the default store to
	529	L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.
	530
a1e5bd36	531
4fbe2e14	532	=item get_auth_store $name
	533
	534	Return the store whose name is $name.
	535
	536	=item get_auth_store_name $store
	537
	538	Return the name of the store $store.
	539
	540	=item auth_stores
	541
	542	A hash keyed by name, with the stores registered in the app.
	543
	544	=item auth_store_names
	545
	546	A ref-hash keyed by store, which contains the names of the stores.
	547
	548	=item register_auth_stores %stores_by_name
	549
	550	Register stores into the application.
06675d2e	551
fe4cf44a	552	=back
fe4cf44a	553
06675d2e	554	=head1 INTERNAL METHODS
	555
	556	=over 4
	557
	558	=item set_authenticated $user
	559
	560	Marks a user as authenticated. Should be called from a
	561	C<Catalyst::Plugin::Authentication::Credential> plugin after successful
	562	authentication.
	563
	564	This involves setting C<user> and the internal data in C<session> if
	565	L<Catalyst::Plugin::Session> is loaded.
	566
e300c5b6	567	=item auth_restore_user $user
	568
	569	Used to restore a user from the session, by C<user> only when it's actually
	570	needed.
	571
	572	=item save_user_in_session $user
	573
	574	Used to save the user in a session.
	575
06675d2e	576	=item prepare
	577
	578	Revives a user from the session object if there is one.
	579
	580	=item setup
	581
	582	Sets the default configuration parameters.
	583
	584	=item
	585
	586	=back
	587
fbe577ac	588	=head1 SEE ALSO
fbe577ac	589
4bb9b01c	590	This list might not be up to date.
	591
	592	=head2 User Storage Backends
	593
fbe577ac	594	L<Catalyst::Plugin::Authentication::Store::Minimal>,
4bb9b01c	595	L<Catalyst::Plugin::Authentication::Store::Htpasswd>,
	596	L<Catalyst::Plugin::Authentication::Store::DBIC> (also works with Class::DBI).
	597
	598	=head2 Credential verification
	599
	600	L<Catalyst::Plugin::Authentication::Credential::Password>,
	601	L<Catalyst::Plugin::Authentication::Credential::HTTP>,
	602	L<Catalyst::Plugin::Authentication::Credential::TypeKey>
	603
	604	=head2 Authorization
	605
fbe577ac	606	L<Catalyst::Plugin::Authorization::ACL>,
4bb9b01c	607	L<Catalyst::Plugin::Authorization::Roles>
4bb9b01c	608
5e91c057	609	=head2 Internals Documentation
	610
	611	L<Catalyst::Plugin::Authentication::Store>
	612
4bb9b01c	613	=head2 Misc
	614
	615	L<Catalyst::Plugin::Session>,
	616	L<Catalyst::Plugin::Session::PerUser>
fbe577ac	617
93f08fb0	618	=head1 DON'T SEE ALSO
	619
	620	This module along with it's sub plugins deprecate a great number of other
	621	modules. These include Catalyst::Plugin::Authentication::Simple,
	622	Catalyst::Plugin::Authentication::CDBI.
	623
	624	At the time of writing these plugins have not yet been replaced or updated, but
	625	should be eventually: Catalyst::Plugin::Authentication::OpenID,
	626	Catalyst::Plugin::Authentication::LDAP,
	627	Catalyst::Plugin::Authentication::CDBI::Basic,
	628	Catalyst::Plugin::Authentication::Basic::Remote
	629
2bcde605	630	=head1 AUTHORS
fbe577ac	631
fbe577ac	632	Yuval Kogman, C<nothingmuch@woobling.org>
2bcde605	633
7d2f34eb	634	Jess Robinson
2bcde605	635
7d2f34eb	636	David Kamholz
06675d2e	637
ff46c00b	638	=head1 COPYRIGHT & LICENSE
fbe577ac	639
	640	Copyright (c) 2005 the aforementioned authors. All rights
	641	reserved. This program is free software; you can redistribute
	642	it and/or modify it under the same terms as Perl itself.
	643
	644	=cut
06675d2e	645