[catagits/Catalyst-Plugin-Authentication.git] / lib / Catalyst / Plugin / Authentication.pm

#!/usr/bin/perl

package Catalyst::Plugin::Authentication;

use base qw/Class::Accessor::Fast Class::Data::Inheritable/;

BEGIN {
    __PACKAGE__->mk_accessors(qw/_user/);
    __PACKAGE__->mk_classdata($_) for qw/_auth_stores _auth_store_names/;
}

use strict;
use warnings;

use Tie::RefHash;
use Class::Inspector;

# this optimization breaks under Template::Toolkit
# use user_exists instead
#BEGIN {
#	require constant;
#	constant->import(have_want => eval { require Want });
#}

our $VERSION = "0.08";

sub set_authenticated {
    my ( $c, $user ) = @_;

    $c->user($user);
    $c->request->{user} = $user;    # compatibility kludge

    if (    $c->isa("Catalyst::Plugin::Session")
        and $c->config->{authentication}{use_session}
        and $user->supports("session") )
    {
        $c->save_user_in_session($user);
    }

    $c->NEXT::set_authenticated($user);
}

sub user {
    my $c = shift;

    if (@_) {
        return $c->_user(@_);
    }

    if ( defined(my $user = $c->_user) ) {
        return $user;
    } else {
        my $frozen = $c->_user_in_session;
        return $c->auth_restore_user($frozen);
    }
}

sub user_exists {
	my $c = shift;
	return defined($c->_user) || defined($c->_user_in_session);
}

sub _user_in_session {
    my $c = shift;

    if ( $c->isa("Catalyst::Plugin::Session") and $c->session_is_valid ) {
        return $c->session->{__user};
    }

    return;
}

sub save_user_in_session {
    my ( $c, $user ) = @_;

    my $store = $user->store || ref $user;
    $c->session->{__user_store} = $c->get_auth_store_name($store) || $store;
    $c->session->{__user} = $user->for_session;
}

sub logout {
    my $c = shift;

    $c->user(undef);

    if (    $c->isa("Catalyst::Plugin::Session")
        and $c->config->{authentication}{use_session} )
    {
        delete @{ $c->session }{qw/__user __user_store/};
    }
    
    $c->NEXT::logout(@_);
}

sub get_user {
    my ( $c, $uid, @rest ) = @_;

    if ( my $store = $c->default_auth_store ) {
        return $store->get_user( $uid, @rest );
    }
    else {
        Catalyst::Exception->throw(
                "The user id $uid was passed to an authentication "
              . "plugin, but no default store was specified" );
    }
}

sub auth_restore_user {
    my ( $c, $frozen_user, $store_name ) = @_;

    return
      unless $c->isa("Catalyst::Plugin::Session")
      and $c->config->{authentication}{use_session}
      and $c->sessionid;

    $store_name  ||= $c->session->{__user_store};
    $frozen_user ||= $c->session->{__user};

    my $store = $c->get_auth_store($store_name);
    $c->_user( my $user = $store->from_session( $c, $frozen_user ) );

    return $user;

}

sub setup {
    my $c = shift;

    my $cfg = $c->config->{authentication} || {};

    %$cfg = (
        use_session => 1,
        %$cfg,
    );

    $c->register_auth_stores(
        default => $cfg->{store},
        %{ $cfg->{stores} || {} },
    );

    $c->NEXT::setup(@_);
}

sub get_auth_store {
    my ( $self, $name ) = @_;
    $self->auth_stores->{$name} || ( Class::Inspector->loaded($name) && $name );
}

sub get_auth_store_name {
    my ( $self, $store ) = @_;
    $self->auth_store_names->{$store};
}

sub register_auth_stores {
    my ( $self, %new ) = @_;

    foreach my $name ( keys %new ) {
        my $store = $new{$name} or next;
        $self->auth_stores->{$name}       = $store;
        $self->auth_store_names->{$store} = $name;
    }
}

sub auth_stores {
    my $self = shift;
    $self->_auth_stores(@_) || $self->_auth_stores( {} );
}

sub auth_store_names {
    my $self = shift;

    $self->_auth_store_names || do {
        tie my %hash, 'Tie::RefHash';
        $self->_auth_store_names( \%hash );
      }
}

sub default_auth_store {
    my $self = shift;

    if ( my $new = shift ) {
        $self->register_auth_stores( default => $new );
    }

    $self->get_auth_store("default");
}

__PACKAGE__;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Authentication - Infrastructure plugin for the Catalyst
authentication framework.

=head1 SYNOPSIS

    use Catalyst qw/
        Authentication
        Authentication::Store::Foo
        Authentication::Credential::Password
    /;

    # later on ...
    # ->login is provided by the Credential::Password module
    $c->login('myusername', 'mypassword');
    my $age = $c->user->age;
    $c->logout;

=head1 DESCRIPTION

The authentication plugin provides generic user support. It is the basis 
for both authentication (checking the user is who they claim to be), and 
authorization (allowing the user to do what the system authorises them to do).

Using authentication is split into two parts. A Store is used to actually 
store the user information, and can store any amount of data related to 
the user. Multiple stores can be accessed from within one application. 
Credentials are used to verify users, using the store, given data from 
the frontend.

To implement authentication in a Catalyst application you need to add this 
module, plus at least one store and one credential module.

Authentication data can also be stored in a session, if the application 
is using the L<Catalyst::Plugin::Session> module.

=head1 INTRODUCTION

=head2 The Authentication/Authorization Process

Web applications typically need to identify a user - to tell the user apart
from other users. This is usually done in order to display private information
that is only that user's business, or to limit access to the application so
that only certain entities can access certain parts.

This process is split up into several steps. First you ask the user to identify
themselves. At this point you can't be sure that the user is really who they
claim to be.

Then the user tells you who they are, and backs this claim with some piece of
information that only the real user could give you. For example, a password is
a secret that is known to both the user and you. When the user tells you this
password you can assume they're in on the secret and can be trusted (ignore
identity theft for now). Checking the password, or any other proof is called
B<credential verification>.

By this time you know exactly who the user is - the user's identity is
B<authenticated>. This is where this module's job stops, and other plugins step
in. The next logical step is B<authorization>, the process of deciding what a
user is (or isn't) allowed to do. For example, say your users are split into
two main groups - regular users and administrators. You should verify that the
currently logged in user is indeed an administrator before performing the
actions of an administrative part of your application. One way to do this is
with role based access control.

=head2 The Components In This Framework

=head3 Credential Verifiers

When user input is transferred to the L<Catalyst> application (typically via
form inputs) this data then enters the authentication framework through these
plugins.

These plugins check the data, and ensure that it really proves the user is who
they claim to be.

=head3 Storage Backends

The credentials also identify a user, and this family of modules is supposed to
take this identification data and return a standardized object oriented
representation of users.

When a user is retrieved from a store it is not necessarily authenticated.
Credential verifiers can either accept a user object, or fetch the object
themselves from the default store.

=head3 The Core Plugin

This plugin on its own is the glue, providing store registration, session
integration, and other goodness for the other plugins.

=head3 Other Plugins

More layers of plugins can be stacked on top of the authentication code. For
example, L<Catalyst::Plugin::Session::PerUser> provides an abstraction of
browser sessions that is more persistent per users.
L<Catalyst::Plugin::Authorization::Roles> provides an accepted way to separate
and group users into categories, and then check which categories the current
user belongs to.

=head1 EXAMPLE

Let's say we were storing users in an Apache style htpasswd file. Users are
stored in that file, with a hashed password and some extra comments. Users are
verified by supplying a password which is matched with the file.

This means that our application will begin like this:

    package MyApp;

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Store::Htpasswd
    /;

    __PACKAGE__->config->{authentication}{htpasswd} = "passwdfile";

This loads the appropriate methods and also sets the htpasswd store as the
default store.
    
So, now that we have the code loaded we need to get data from the user into the
credential verifier.

Let's create an authentication controller:

    package MyApp::Controller::Auth;

    sub login : Local {
        my ( $self, $c ) = @_;

        if (    my $user = $c->req->param("user")
            and my $password = $c->req->param("password") )
        {
            if ( $c->login( $user, $password ) ) {
                $c->res->body( "hello " . $c->user->name );
            } else {
                # login incorrect
            }
        }
        else {
            # invalid form input
        }
    }

This code should be very readable. If all the necessary fields are supplied,
call the L<Authentication::Credential::Password/login> method on the
controller. If that succeeds the user is logged in.

It could be simplified though:

    sub login : Local {
        my ( $self, $c ) = @_;

        if ( $c->login ) {
            ...
        }
    }

Since the C<login> method knows how to find logically named parameters on its
own.

The credential verifier will ask the default store to get the user whose ID is
the user parameter. In this case the default store is the htpasswd one. Once it
fetches the user from the store the password is checked and if it's OK
C<< $c->user >> will contain the user object returned from the htpasswd store.

We can also pass a user object to the credential verifier manually, if we have
several stores per app. This is discussed in
L<Catalyst::Plugin::Authentication::Store>.

Now imagine each admin user has a comment set in the htpasswd file saying
"admin".

A restricted action might look like this:

    sub restricted : Local {
        my ( $self, $c ) = @_;

        $c->detach("unauthorized")
          unless $c->user_exists
          and $c->user->extra_info() eq "admin";

        # do something restricted here
    }

This is somewhat similar to role based access control.
L<Catalyst::Plugin::Authentication::Store::Htpasswd> treats the extra info
field as a comma separated list of roles if it's treated that way. Let's
leverage this. Add the role authorization plugin:

    use Catalyst qw/
        ...
        Authorization::Roles
    /;

    sub restricted : Local {
        my ( $self, $c ) = @_;

        $c->detach("unauthorized") unless $c->check_roles("admin");

        # do something restricted here
    }

This is somewhat simpler and will work if you change your store, too, since the
role interface is consistent.

Let's say your app grew, and you now have 10000 users. It's no longer efficient
to maintain an htpasswd file, so you move this data to a database.

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Store::DBIC
        Authorization::Roles
    /;

    __PACKAGE__->config->{authentication}{dbic} = ...; # see the DBIC store docs

The rest of your code should be unchanged. Now let's say you are integrating
typekey authentication to your system. For simplicity's sake we'll assume that
the user's are still keyed in the same way.

    use Catalyst qw/
        Authentication
        Authentication::Credential::Password
        Authentication::Credential::TypeKey
        Authentication::Store::DBIC
        Authorization::Roles
    /;

And in your auth controller add a new action:

    sub typekey : Local {
        my ( $self, $c ) = @_;

        if ( $c->authenticate_typekey) { # uses $c->req and Authen::TypeKey
            # same stuff as the $c->login method
            # ...
        }
    }

You've now added a new credential verification mechanizm orthogonally to the
other components. All you have to do is make sure that the credential verifiers
pass on the same types of parameters to the store in order to retrieve user
objects.

=head1 METHODS

=over 4 

=item user

Returns the currently logged in user or undef if there is none.

=item user_exists

Whether or not a user is logged in right now.

The reason this method exists is that C<< $c->user >> may needlessly load the
user from the auth store.

If you're just going to say

	if ( $c->user_exists ) {
		# foo
	} else {
		$c->forward("login");
	}

it should be more efficient than C<< $c->user >> when a user is marked in the
session but C<< $c->user >> hasn't been called yet.

=item logout

Delete the currently logged in user from C<user> and the session.

=item get_user $uid

Fetch a particular users details, defined by the given ID, via the default store.

=back

=head1 CONFIGURATION

=over 4

=item use_session

Whether or not to store the user's logged in state in the session, if the
application is also using the L<Catalyst::Plugin::Session> plugin. This 
value is set to true per default.

=item store

If multiple stores are being used, set the module you want as default here.

=item stores

If multiple stores are being used, you need to provide a name for each store
here, as a hash, the keys are the names you wish to use, and the values are
the the names of the plugins.

 # example
 __PACKAGE__->config( authentication => {
                        store => 'Catalyst::Plugin::Authentication::Store::HtPasswd',
                        stores => { 
                           'dbic' => 'Catalyst::Plugin::Authentication::Store::DBIC'
                                  }
                                         });

=back

=head1 METHODS FOR STORE MANAGEMENT

=over 4

=item default_auth_store

Return the store whose name is 'default'.

This is set to C<< $c->config->{authentication}{store} >> if that value exists,
or by using a Store plugin:

	use Catalyst qw/Authentication Authentication::Store::Minimal/;

Sets the default store to
L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.


=item get_auth_store $name

Return the store whose name is $name.

=item get_auth_store_name $store

Return the name of the store $store.

=item auth_stores

A hash keyed by name, with the stores registered in the app.

=item auth_store_names

A ref-hash keyed by store, which contains the names of the stores.

=item register_auth_stores %stores_by_name

Register stores into the application.

=back

=head1 INTERNAL METHODS

=over 4

=item set_authenticated $user

Marks a user as authenticated. Should be called from a
C<Catalyst::Plugin::Authentication::Credential> plugin after successful
authentication.

This involves setting C<user> and the internal data in C<session> if
L<Catalyst::Plugin::Session> is loaded.

=item auth_restore_user $user

Used to restore a user from the session, by C<user> only when it's actually
needed.

=item save_user_in_session $user

Used to save the user in a session.

=item prepare

Revives a user from the session object if there is one.

=item setup

Sets the default configuration parameters.

=item 

=back

=head1 SEE ALSO

This list might not be up to date.

=head2 User Storage Backends

L<Catalyst::Plugin::Authentication::Store::Minimal>,
L<Catalyst::Plugin::Authentication::Store::Htpasswd>,
L<Catalyst::Plugin::Authentication::Store::DBIC> (also works with Class::DBI).

=head2 Credential verification

L<Catalyst::Plugin::Authentication::Credential::Password>,
L<Catalyst::Plugin::Authentication::Credential::HTTP>,
L<Catalyst::Plugin::Authentication::Credential::TypeKey>

=head2 Authorization

L<Catalyst::Plugin::Authorization::ACL>,
L<Catalyst::Plugin::Authorization::Roles>

=head2 Internals Documentation

L<Catalyst::Plugin::Authentication::Store>

=head2 Misc

L<Catalyst::Plugin::Session>,
L<Catalyst::Plugin::Session::PerUser>

=head1 DON'T SEE ALSO

This module along with its sub plugins deprecate a great number of other
modules. These include L<Catalyst::Plugin::Authentication::Simple>,
L<Catalyst::Plugin::Authentication::CDBI>.

At the time of writing these plugins have not yet been replaced or updated, but
should be eventually: L<Catalyst::Plugin::Authentication::OpenID>,
L<Catalyst::Plugin::Authentication::LDAP>,
L<Catalyst::Plugin::Authentication::CDBI::Basic>,
L<Catalyst::Plugin::Authentication::Basic::Remote>.

=head1 AUTHORS

Yuval Kogman, C<nothingmuch@woobling.org>

Jess Robinson

David Kamholz

=head1 COPYRIGHT & LICENSE

        Copyright (c) 2005 the aforementioned authors. All rights
        reserved. This program is free software; you can redistribute
        it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
07e49bc7	1	#!/usr/bin/perl
	2
	3	package Catalyst::Plugin::Authentication;
	4
dde93f12	5	use base qw/Class::Accessor::Fast Class::Data::Inheritable/;
07e49bc7	6
dde93f12	7	BEGIN {
2e3b369c	8	__PACKAGE__->mk_accessors(qw/_user/);
8b52f75e	9	__PACKAGE__->mk_classdata($_) for qw/_auth_stores _auth_store_names/;
dde93f12	10	}
07e49bc7	11
	12	use strict;
	13	use warnings;
	14
8b52f75e	15	use Tie::RefHash;
f2fee7ad	16	use Class::Inspector;
8b52f75e	17
7605d422	18	# this optimization breaks under Template::Toolkit
7605d422	19	# use user_exists instead
c8c961f5	20	#BEGIN {
	21	# require constant;
	22	# constant->import(have_want => eval { require Want });
	23	#}
816e5745	24
b42497b3	25	our $VERSION = "0.08";
49bd39d0	26
07e49bc7	27	sub set_authenticated {
	28	my ( $c, $user ) = @_;
	29
	30	$c->user($user);
f0348b1d	31	$c->request->{user} = $user; # compatibility kludge
07e49bc7	32
07e49bc7	33	if ( $c->isa("Catalyst::Plugin::Session")
8b52f75e	34	and $c->config->{authentication}{use_session}
f2fee7ad	35	and $user->supports("session") )
07e49bc7	36	{
f2fee7ad	37	$c->save_user_in_session($user);
07e49bc7	38	}
033d2c24	39
b260654c	40	$c->NEXT::set_authenticated($user);
07e49bc7	41	}
07e49bc7	42
2e3b369c	43	sub user {
f0348b1d	44	my $c = shift;
2e3b369c	45
f0348b1d	46	if (@_) {
	47	return $c->_user(@_);
	48	}
2e3b369c	49
58009177	50	if ( defined(my $user = $c->_user) ) {
	51	return $user;
	52	} else {
30d5659d	53	my $frozen = $c->_user_in_session;
58009177	54	return $c->auth_restore_user($frozen);
f0348b1d	55	}
2e3b369c	56	}
2e3b369c	57
1a2be169	58	sub user_exists {
1a2be169	59	my $c = shift;
30d5659d	60	return defined($c->_user) \|\| defined($c->_user_in_session);
58009177	61	}
	62
	63	sub _user_in_session {
	64	my $c = shift;
	65
ee76cbfe	66	if ( $c->isa("Catalyst::Plugin::Session") and $c->session_is_valid ) {
ee76cbfe	67	return $c->session->{__user};
58009177	68	}
	69
	70	return;
1a2be169	71	}
1a2be169	72
f2fee7ad	73	sub save_user_in_session {
f0348b1d	74	my ( $c, $user ) = @_;
f2fee7ad	75
	76	my $store = $user->store \|\| ref $user;
	77	$c->session->{__user_store} = $c->get_auth_store_name($store) \|\| $store;
	78	$c->session->{__user} = $user->for_session;
	79	}
	80
07e49bc7	81	sub logout {
	82	my $c = shift;
	83
	84	$c->user(undef);
dde93f12	85
	86	if ( $c->isa("Catalyst::Plugin::Session")
	87	and $c->config->{authentication}{use_session} )
	88	{
8b52f75e	89	delete @{ $c->session }{qw/__user __user_store/};
dde93f12	90	}
49df63da	91
49df63da	92	$c->NEXT::logout(@_);
07e49bc7	93	}
07e49bc7	94
5435c348	95	sub get_user {
56716182	96	my ( $c, $uid, @rest ) = @_;
5435c348	97
5435c348	98	if ( my $store = $c->default_auth_store ) {
56716182	99	return $store->get_user( $uid, @rest );
5435c348	100	}
	101	else {
	102	Catalyst::Exception->throw(
	103	"The user id $uid was passed to an authentication "
	104	. "plugin, but no default store was specified" );
	105	}
	106	}
	107
2e3b369c	108	sub auth_restore_user {
f0348b1d	109	my ( $c, $frozen_user, $store_name ) = @_;
2e3b369c	110
b260654c	111	return
7800e80c	112	unless $c->isa("Catalyst::Plugin::Session")
b260654c	113	and $c->config->{authentication}{use_session}
b260654c	114	and $c->sessionid;
b7a0db6d	115
f0348b1d	116	$store_name \|\|= $c->session->{__user_store};
f0348b1d	117	$frozen_user \|\|= $c->session->{__user};
2e3b369c	118
f0348b1d	119	my $store = $c->get_auth_store($store_name);
f0348b1d	120	$c->_user( my $user = $store->from_session( $c, $frozen_user ) );
2e3b369c	121
f0348b1d	122	return $user;
2e3b369c	123
	124	}
	125
07e49bc7	126	sub setup {
	127	my $c = shift;
	128
bfeb91b4	129	my $cfg = $c->config->{authentication} \|\| {};
07e49bc7	130
	131	%$cfg = (
	132	use_session => 1,
	133	%$cfg,
	134	);
dde93f12	135
f2fee7ad	136	$c->register_auth_stores(
	137	default => $cfg->{store},
	138	%{ $cfg->{stores} \|\| {} },
	139	);
8b52f75e	140
dde93f12	141	$c->NEXT::setup(@_);
07e49bc7	142	}
07e49bc7	143
8b52f75e	144	sub get_auth_store {
f2fee7ad	145	my ( $self, $name ) = @_;
f2fee7ad	146	$self->auth_stores->{$name} \|\| ( Class::Inspector->loaded($name) && $name );
8b52f75e	147	}
	148
	149	sub get_auth_store_name {
f2fee7ad	150	my ( $self, $store ) = @_;
f2fee7ad	151	$self->auth_store_names->{$store};
8b52f75e	152	}
	153
	154	sub register_auth_stores {
f2fee7ad	155	my ( $self, %new ) = @_;
8b52f75e	156
f2fee7ad	157	foreach my $name ( keys %new ) {
	158	my $store = $new{$name} or next;
	159	$self->auth_stores->{$name} = $store;
	160	$self->auth_store_names->{$store} = $name;
	161	}
8b52f75e	162	}
	163
	164	sub auth_stores {
f2fee7ad	165	my $self = shift;
f2fee7ad	166	$self->_auth_stores(@_) \|\| $self->_auth_stores( {} );
8b52f75e	167	}
	168
	169	sub auth_store_names {
f2fee7ad	170	my $self = shift;
8b52f75e	171
b7a0db6d	172	$self->_auth_store_names \|\| do {
f2fee7ad	173	tie my %hash, 'Tie::RefHash';
f2fee7ad	174	$self->_auth_store_names( \%hash );
b260654c	175	}
8b52f75e	176	}
	177
	178	sub default_auth_store {
f2fee7ad	179	my $self = shift;
8b52f75e	180
f2fee7ad	181	if ( my $new = shift ) {
	182	$self->register_auth_stores( default => $new );
	183	}
8b52f75e	184
f2fee7ad	185	$self->get_auth_store("default");
8b52f75e	186	}
8b52f75e	187
07e49bc7	188	__PACKAGE__;
	189
	190	__END__
	191
	192	=pod
	193
	194	=head1 NAME
	195
033d2c24	196	Catalyst::Plugin::Authentication - Infrastructure plugin for the Catalyst
033d2c24	197	authentication framework.
07e49bc7	198
	199	=head1 SYNOPSIS
	200
18a3c897	201	use Catalyst qw/
	202	Authentication
	203	Authentication::Store::Foo
	204	Authentication::Credential::Password
	205	/;
	206
	207	# later on ...
	208	# ->login is provided by the Credential::Password module
	209	$c->login('myusername', 'mypassword');
	210	my $age = $c->user->age;
	211	$c->logout;
07e49bc7	212
	213	=head1 DESCRIPTION
	214
14929a35	215	The authentication plugin provides generic user support. It is the basis
	216	for both authentication (checking the user is who they claim to be), and
	217	authorization (allowing the user to do what the system authorises them to do).
07e49bc7	218
14929a35	219	Using authentication is split into two parts. A Store is used to actually
	220	store the user information, and can store any amount of data related to
	221	the user. Multiple stores can be accessed from within one application.
	222	Credentials are used to verify users, using the store, given data from
	223	the frontend.
18a3c897	224
f0f9cd72	225	To implement authentication in a Catalyst application you need to add this
14929a35	226	module, plus at least one store and one credential module.
18a3c897	227
14929a35	228	Authentication data can also be stored in a session, if the application
14929a35	229	is using the L<Catalyst::Plugin::Session> module.
07e49bc7	230
e5108df9	231	=head1 INTRODUCTION
	232
	233	=head2 The Authentication/Authorization Process
	234
	235	Web applications typically need to identify a user - to tell the user apart
	236	from other users. This is usually done in order to display private information
	237	that is only that user's business, or to limit access to the application so
	238	that only certain entities can access certain parts.
	239
	240	This process is split up into several steps. First you ask the user to identify
	241	themselves. At this point you can't be sure that the user is really who they
	242	claim to be.
	243
f0f9cd72	244	Then the user tells you who they are, and backs this claim with some piece of
e5108df9	245	information that only the real user could give you. For example, a password is
	246	a secret that is known to both the user and you. When the user tells you this
	247	password you can assume they're in on the secret and can be trusted (ignore
	248	identity theft for now). Checking the password, or any other proof is called
	249	B<credential verification>.
	250
	251	By this time you know exactly who the user is - the user's identity is
	252	B<authenticated>. This is where this module's job stops, and other plugins step
	253	in. The next logical step is B<authorization>, the process of deciding what a
	254	user is (or isn't) allowed to do. For example, say your users are split into
	255	two main groups - regular users and administrators. You should verify that the
	256	currently logged in user is indeed an administrator before performing the
f0f9cd72	257	actions of an administrative part of your application. One way to do this is
e5108df9	258	with role based access control.
	259
	260	=head2 The Components In This Framework
	261
	262	=head3 Credential Verifiers
	263
	264	When user input is transferred to the L<Catalyst> application (typically via
	265	form inputs) this data then enters the authentication framework through these
	266	plugins.
	267
	268	These plugins check the data, and ensure that it really proves the user is who
	269	they claim to be.
	270
	271	=head3 Storage Backends
	272
	273	The credentials also identify a user, and this family of modules is supposed to
	274	take this identification data and return a standardized object oriented
	275	representation of users.
	276
	277	When a user is retrieved from a store it is not necessarily authenticated.
	278	Credential verifiers can either accept a user object, or fetch the object
	279	themselves from the default store.
	280
	281	=head3 The Core Plugin
	282
f0f9cd72	283	This plugin on its own is the glue, providing store registration, session
e5108df9	284	integration, and other goodness for the other plugins.
	285
	286	=head3 Other Plugins
	287
	288	More layers of plugins can be stacked on top of the authentication code. For
	289	example, L<Catalyst::Plugin::Session::PerUser> provides an abstraction of
	290	browser sessions that is more persistent per users.
	291	L<Catalyst::Plugin::Authorization::Roles> provides an accepted way to separate
	292	and group users into categories, and then check which categories the current
	293	user belongs to.
	294
caae740f	295	=head1 EXAMPLE
caae740f	296
f0f9cd72	297	Let's say we were storing users in an Apache style htpasswd file. Users are
	298	stored in that file, with a hashed password and some extra comments. Users are
	299	verified by supplying a password which is matched with the file.
caae740f	300
	301	This means that our application will begin like this:
	302
	303	package MyApp;
	304
	305	use Catalyst qw/
	306	Authentication
	307	Authentication::Credential::Password
	308	Authentication::Store::Htpasswd
	309	/;
	310
	311	__PACKAGE__->config->{authentication}{htpasswd} = "passwdfile";
	312
	313	This loads the appropriate methods and also sets the htpasswd store as the
	314	default store.
	315
	316	So, now that we have the code loaded we need to get data from the user into the
	317	credential verifier.
	318
	319	Let's create an authentication controller:
	320
	321	package MyApp::Controller::Auth;
	322
	323	sub login : Local {
	324	my ( $self, $c ) = @_;
	325
	326	if ( my $user = $c->req->param("user")
	327	and my $password = $c->req->param("password") )
	328	{
	329	if ( $c->login( $user, $password ) ) {
	330	$c->res->body( "hello " . $c->user->name );
	331	} else {
	332	# login incorrect
	333	}
	334	}
	335	else {
	336	# invalid form input
	337	}
	338	}
	339
	340	This code should be very readable. If all the necessary fields are supplied,
	341	call the L<Authentication::Credential::Password/login> method on the
	342	controller. If that succeeds the user is logged in.
	343
	344	It could be simplified though:
	345
	346	sub login : Local {
	347	my ( $self, $c ) = @_;
	348
	349	if ( $c->login ) {
	350	...
	351	}
	352	}
	353
0a630893	354	Since the C<login> method knows how to find logically named parameters on its
caae740f	355	own.
	356
	357	The credential verifier will ask the default store to get the user whose ID is
	358	the user parameter. In this case the default store is the htpasswd one. Once it
	359	fetches the user from the store the password is checked and if it's OK
	360	C<< $c->user >> will contain the user object returned from the htpasswd store.
	361
	362	We can also pass a user object to the credential verifier manually, if we have
	363	several stores per app. This is discussed in
	364	L<Catalyst::Plugin::Authentication::Store>.
	365
	366	Now imagine each admin user has a comment set in the htpasswd file saying
	367	"admin".
	368
	369	A restricted action might look like this:
	370
	371	sub restricted : Local {
	372	my ( $self, $c ) = @_;
	373
	374	$c->detach("unauthorized")
	375	unless $c->user_exists
	376	and $c->user->extra_info() eq "admin";
	377
	378	# do something restricted here
	379	}
	380
	381	This is somewhat similar to role based access control.
	382	L<Catalyst::Plugin::Authentication::Store::Htpasswd> treats the extra info
	383	field as a comma separated list of roles if it's treated that way. Let's
	384	leverage this. Add the role authorization plugin:
	385
	386	use Catalyst qw/
	387	...
	388	Authorization::Roles
	389	/;
	390
	391	sub restricted : Local {
	392	my ( $self, $c ) = @_;
	393
e96086b6	394	$c->detach("unauthorized") unless $c->check_roles("admin");
caae740f	395
	396	# do something restricted here
	397	}
	398
	399	This is somewhat simpler and will work if you change your store, too, since the
	400	role interface is consistent.
	401
	402	Let's say your app grew, and you now have 10000 users. It's no longer efficient
	403	to maintain an htpasswd file, so you move this data to a database.
	404
	405	use Catalyst qw/
	406	Authentication
	407	Authentication::Credential::Password
	408	Authentication::Store::DBIC
	409	Authorization::Roles
	410	/;
	411
	412	__PACKAGE__->config->{authentication}{dbic} = ...; # see the DBIC store docs
	413
	414	The rest of your code should be unchanged. Now let's say you are integrating
	415	typekey authentication to your system. For simplicity's sake we'll assume that
	416	the user's are still keyed in the same way.
	417
	418	use Catalyst qw/
	419	Authentication
	420	Authentication::Credential::Password
	421	Authentication::Credential::TypeKey
	422	Authentication::Store::DBIC
	423	Authorization::Roles
	424	/;
	425
	426	And in your auth controller add a new action:
	427
	428	sub typekey : Local {
	429	my ( $self, $c ) = @_;
	430
	431	if ( $c->authenticate_typekey) { # uses $c->req and Authen::TypeKey
	432	# same stuff as the $c->login method
	433	# ...
	434	}
	435	}
	436
	437	You've now added a new credential verification mechanizm orthogonally to the
	438	other components. All you have to do is make sure that the credential verifiers
	439	pass on the same types of parameters to the store in order to retrieve user
	440	objects.
	441
07e49bc7	442	=head1 METHODS
	443
	444	=over 4
	445
07e49bc7	446	=item user
07e49bc7	447
18a3c897	448	Returns the currently logged in user or undef if there is none.
07e49bc7	449
1a2be169	450	=item user_exists
	451
	452	Whether or not a user is logged in right now.
	453
4bc70618	454	The reason this method exists is that C<< $c->user >> may needlessly load the
1a2be169	455	user from the auth store.
	456
	457	If you're just going to say
	458
8f8b56b6	459	if ( $c->user_exists ) {
1a2be169	460	# foo
	461	} else {
	462	$c->forward("login");
	463	}
	464
8f8b56b6	465	it should be more efficient than C<< $c->user >> when a user is marked in the
8f8b56b6	466	session but C<< $c->user >> hasn't been called yet.
1a2be169	467
b7a0db6d	468	=item logout
	469
	470	Delete the currently logged in user from C<user> and the session.
	471
5435c348	472	=item get_user $uid
5435c348	473
18a3c897	474	Fetch a particular users details, defined by the given ID, via the default store.
	475
	476	=back
	477
	478	=head1 CONFIGURATION
	479
	480	=over 4
	481
	482	=item use_session
	483
	484	Whether or not to store the user's logged in state in the session, if the
14929a35	485	application is also using the L<Catalyst::Plugin::Session> plugin. This
	486	value is set to true per default.
	487
	488	=item store
	489
d61933f6	490	If multiple stores are being used, set the module you want as default here.
5435c348	491
d61933f6	492	=item stores
	493
	494	If multiple stores are being used, you need to provide a name for each store
	495	here, as a hash, the keys are the names you wish to use, and the values are
	496	the the names of the plugins.
	497
	498	# example
	499	__PACKAGE__->config( authentication => {
	500	store => 'Catalyst::Plugin::Authentication::Store::HtPasswd',
	501	stores => {
	502	'dbic' => 'Catalyst::Plugin::Authentication::Store::DBIC'
	503	}
	504	});
	505
51111c81	506	=back
d61933f6	507
b260654c	508	=head1 METHODS FOR STORE MANAGEMENT
b260654c	509
b12e226d	510	=over 4
b12e226d	511
5435c348	512	=item default_auth_store
5435c348	513
b260654c	514	Return the store whose name is 'default'.
5435c348	515
18a3c897	516	This is set to C<< $c->config->{authentication}{store} >> if that value exists,
b260654c	517	or by using a Store plugin:
	518
	519	use Catalyst qw/Authentication Authentication::Store::Minimal/;
	520
	521	Sets the default store to
	522	L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.
	523
816e5745	524
b260654c	525	=item get_auth_store $name
	526
	527	Return the store whose name is $name.
	528
	529	=item get_auth_store_name $store
	530
	531	Return the name of the store $store.
	532
	533	=item auth_stores
	534
	535	A hash keyed by name, with the stores registered in the app.
	536
	537	=item auth_store_names
	538
	539	A ref-hash keyed by store, which contains the names of the stores.
	540
	541	=item register_auth_stores %stores_by_name
	542
	543	Register stores into the application.
07e49bc7	544
b12e226d	545	=back
b12e226d	546
07e49bc7	547	=head1 INTERNAL METHODS
	548
	549	=over 4
	550
	551	=item set_authenticated $user
	552
	553	Marks a user as authenticated. Should be called from a
	554	C<Catalyst::Plugin::Authentication::Credential> plugin after successful
	555	authentication.
	556
	557	This involves setting C<user> and the internal data in C<session> if
	558	L<Catalyst::Plugin::Session> is loaded.
	559
f0348b1d	560	=item auth_restore_user $user
	561
	562	Used to restore a user from the session, by C<user> only when it's actually
	563	needed.
	564
	565	=item save_user_in_session $user
	566
	567	Used to save the user in a session.
	568
07e49bc7	569	=item prepare
	570
	571	Revives a user from the session object if there is one.
	572
	573	=item setup
	574
	575	Sets the default configuration parameters.
	576
	577	=item
	578
	579	=back
	580
36fba990	581	=head1 SEE ALSO
36fba990	582
e5108df9	583	This list might not be up to date.
	584
	585	=head2 User Storage Backends
	586
36fba990	587	L<Catalyst::Plugin::Authentication::Store::Minimal>,
e5108df9	588	L<Catalyst::Plugin::Authentication::Store::Htpasswd>,
	589	L<Catalyst::Plugin::Authentication::Store::DBIC> (also works with Class::DBI).
	590
	591	=head2 Credential verification
	592
	593	L<Catalyst::Plugin::Authentication::Credential::Password>,
	594	L<Catalyst::Plugin::Authentication::Credential::HTTP>,
	595	L<Catalyst::Plugin::Authentication::Credential::TypeKey>
	596
	597	=head2 Authorization
	598
36fba990	599	L<Catalyst::Plugin::Authorization::ACL>,
e5108df9	600	L<Catalyst::Plugin::Authorization::Roles>
e5108df9	601
caae740f	602	=head2 Internals Documentation
	603
	604	L<Catalyst::Plugin::Authentication::Store>
	605
e5108df9	606	=head2 Misc
	607
	608	L<Catalyst::Plugin::Session>,
	609	L<Catalyst::Plugin::Session::PerUser>
36fba990	610
d304b38a	611	=head1 DON'T SEE ALSO
d304b38a	612
1db33018	613	This module along with its sub plugins deprecate a great number of other
	614	modules. These include L<Catalyst::Plugin::Authentication::Simple>,
	615	L<Catalyst::Plugin::Authentication::CDBI>.
d304b38a	616
d304b38a	617	At the time of writing these plugins have not yet been replaced or updated, but
1db33018	618	should be eventually: L<Catalyst::Plugin::Authentication::OpenID>,
	619	L<Catalyst::Plugin::Authentication::LDAP>,
	620	L<Catalyst::Plugin::Authentication::CDBI::Basic>,
	621	L<Catalyst::Plugin::Authentication::Basic::Remote>.
d304b38a	622
51111c81	623	=head1 AUTHORS
36fba990	624
36fba990	625	Yuval Kogman, C<nothingmuch@woobling.org>
51111c81	626
7d4c2ed8	627	Jess Robinson
51111c81	628
7d4c2ed8	629	David Kamholz
07e49bc7	630
8f86f029	631	=head1 COPYRIGHT & LICENSE
36fba990	632
	633	Copyright (c) 2005 the aforementioned authors. All rights
	634	reserved. This program is free software; you can redistribute
	635	it and/or modify it under the same terms as Perl itself.
	636
	637	=cut
07e49bc7	638