1 package Catalyst::Authentication::Credential::Password;
6 use base qw/Class::Accessor::Fast/;
9 use Catalyst::Exception ();
13 __PACKAGE__->mk_accessors(qw/_config realm/);
17 my ($class, $config, $app, $realm) = @_;
19 my $self = { _config => $config };
24 $self->_config->{'password_field'} ||= 'password';
25 $self->_config->{'password_type'} ||= 'clear';
26 $self->_config->{'password_hash_type'} ||= 'SHA-1';
28 my $passwordtype = $self->_config->{'password_type'};
29 if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
30 Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
36 my ( $self, $c, $realm, $authinfo ) = @_;
38 ## because passwords may be in a hashed format, we have to make sure that we remove the
39 ## password_field before we pass it to the user routine, as some auth modules use
40 ## all data passed to them to find a matching user...
41 my $userfindauthinfo = {%{$authinfo}};
42 delete($userfindauthinfo->{$self->_config->{'password_field'}});
44 my $user_obj = $realm->find_user($userfindauthinfo, $c);
46 if ($self->check_password($user_obj, $authinfo)) {
50 $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
56 my ( $self, $user, $authinfo ) = @_;
58 if ($self->_config->{'password_type'} eq 'self_check') {
59 return $user->check_password($authinfo->{$self->_config->{'password_field'}});
61 my $password = $authinfo->{$self->_config->{'password_field'}};
62 my $storedpassword = $user->get($self->_config->{'password_field'});
64 if ($self->_config->{'password_type'} eq 'none') {
66 } elsif ($self->_config->{'password_type'} eq 'clear') {
67 return $password eq $storedpassword;
68 } elsif ($self->_config->{'password_type'} eq 'crypted') {
69 return $storedpassword eq crypt( $password, $storedpassword );
70 } elsif ($self->_config->{'password_type'} eq 'salted_hash') {
71 require Crypt::SaltedHash;
72 my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
73 return Crypt::SaltedHash->validate( $storedpassword, $password,
75 } elsif ($self->_config->{'password_type'} eq 'hashed') {
77 my $d = Digest->new( $self->_config->{'password_hash_type'} );
78 $d->add( $self->_config->{'password_pre_salt'} || '' );
80 $d->add( $self->_config->{'password_post_salt'} || '' );
82 my $computed = $d->clone()->digest;
83 my $b64computed = $d->clone()->b64digest;
84 return ( ( $computed eq $storedpassword )
85 || ( unpack( "H*", $computed ) eq $storedpassword )
86 || ( $b64computed eq $storedpassword)
87 || ( $b64computed.'=' eq $storedpassword) );
92 ## BACKWARDS COMPATIBILITY - all subs below here are deprecated
93 ## They are here for compatibility with older modules that use / inherit from C::P::A::Password
94 ## login()'s existance relies rather heavily on the fact that only Credential::Password
95 ## is being used as a credential. This may not be the case. This is only here
96 ## for backward compatibility. It will go away in a future version
97 ## login should not be used in new applications.
100 my ( $c, $user, $password, @rest ) = @_;
105 $user = $c->request->param("login")
106 || $c->request->param("user")
107 || $c->request->param("username")
110 "Can't login a user without a user object or user ID param")
118 $password = $c->request->param("password")
119 || $c->request->param("passwd")
120 || $c->request->param("pass")
122 $c->log->debug("Can't login a user without a password")
127 unless ( Scalar::Util::blessed($user)
128 and $user->isa("Catalyst::Authentication::User") )
130 if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
134 $c->log->debug("User '$user' doesn't exist in the default store")
140 if ( $c->_check_password( $user, $password ) ) {
141 $c->set_authenticated($user);
142 $c->log->debug("Successfully authenticated user '$user'.")
148 "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
155 ## also deprecated. Here for compatibility with older credentials which do not inherit from C::P::A::Password
156 sub _check_password {
157 my ( $c, $user, $password ) = @_;
159 if ( $user->supports(qw/password clear/) ) {
160 return $user->password eq $password;
162 elsif ( $user->supports(qw/password crypted/) ) {
163 my $crypted = $user->crypted_password;
164 return $crypted eq crypt( $password, $crypted );
166 elsif ( $user->supports(qw/password hashed/) ) {
168 my $d = Digest->new( $user->hash_algorithm );
169 $d->add( $user->password_pre_salt || '' );
171 $d->add( $user->password_post_salt || '' );
173 my $stored = $user->hashed_password;
174 my $computed = $d->clone()->digest;
175 my $b64computed = $d->clone()->b64digest;
177 return ( ( $computed eq $stored )
178 || ( unpack( "H*", $computed ) eq $stored )
179 || ( $b64computed eq $stored)
180 || ( $b64computed.'=' eq $stored) );
182 elsif ( $user->supports(qw/password salted_hash/) ) {
183 require Crypt::SaltedHash;
186 $user->can("password_salt_len") ? $user->password_salt_len : 0;
188 return Crypt::SaltedHash->validate( $user->hashed_password, $password,
191 elsif ( $user->supports(qw/password self_check/) ) {
193 # while somewhat silly, this is to prevent code duplication
194 return $user->check_password($password);
198 Catalyst::Exception->throw(
199 "The user object $user does not support any "
200 . "known password authentication mechanism." );
212 Catalyst::Authentication::Credential::Password - Authenticate a user
221 package MyApp::Controller::Auth;
224 my ( $self, $c ) = @_;
226 $c->authenticate( { username => $c->req->param('username'),
227 password => $c->req->param('password') });
232 This authentication credential checker takes authentication information
233 (most often a username) and a password, and attempts to validate the password
234 provided against the user retrieved from the store.
239 __PACKAGE__->config->{'Plugin::Authentication'} =
241 default_realm => 'members',
247 password_field => 'password',
248 password_type => 'hashed',
249 password_hash_type => 'SHA-1'
254 The password module is capable of working with several different password
255 encryption/hashing algorithms. The one the module uses is determined by the
256 credential configuration.
258 Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
259 should note that the password field and type information is no longer part
260 of the store configuration and is now part of the Password credential configuration.
266 The classname used for Credential. This is part of
267 L<Catalyst::Plugin::Authentication> and is the method by which
268 Catalyst::Authentication::Credential::Password is loaded as the
269 credential validator. For this module to be used, this must be set to
274 The field in the user object that contains the password. This will vary
275 depending on the storage class used, but is most likely something like
276 'password'. In fact, this is so common that if this is left out of the config,
277 it defaults to 'password'. This field is obtained from the user object using
278 the get() method. Essentially: $user->get('passwordfieldname');
279 B<NOTE> If the password_field is something other than 'password', you must
280 be sure to use that same field name when calling $c->authenticate().
284 This sets the password type. Often passwords are stored in crypted or hashed
285 formats. In order for the password module to verify the plaintext password
286 passed in, it must be told what format the password will be in when it is retreived
287 from the user object. The supported options are:
293 No password check is done. An attempt is made to retrieve the user based on
294 the information provided in the $c->authenticate() call. If a user is found,
295 authentication is considered to be successful.
299 The password in user is in clear text and will be compared directly.
303 This option indicates that the password should be passed to the check_password()
304 routine on the user object returned from the store.
308 The password in user is in UNIX crypt hashed format.
312 The password in user is in salted hash format, and will be validated
313 using L<Crypt::SaltedHash>. If this password type is selected, you should
314 also provide the B<password_salt_len> config element to define the salt length.
318 If the user object supports hashed passwords, they will be used in conjunction
319 with L<Digest>. The following config elements affect the hashed configuration:
323 =item password_hash_type
325 The hash type used, passed directly to L<Digest/new>.
327 =item password_pre_salt
329 Any pre-salt data to be passed to L<Digest/add> before processing the password.
331 =item password_post_salt
333 Any post-salt data to be passed to L<Digest/add> after processing the password.
343 The Password credential module is very simple to use. Once configured as
344 indicated above, authenticating using this module is simply a matter of
345 calling $c->authenticate() with an authinfo hashref that includes the
346 B<password> element. The password element should contain the password supplied
347 by the user to be authenticated, in clear text. The other information supplied
348 in the auth hash is ignored by the Password module, and simply passed to the
349 auth store to be used to retrieve the user. An example call follows:
351 if ($c->authenticate({ username => $username,
352 password => $password} )) {
353 # authentication successful
355 # authentication failed
360 There are no publicly exported routines in the Password module (or indeed in
361 most credential modules.) However, below is a description of the routines
362 required by L<Catalyst::Plugin::Authentication> for all credential modules.
364 =head2 new( $config, $app, $realm )
366 Instantiate a new Password object using the configuration hash provided in
367 $config. A reference to the application is provided as the second argument.
368 Note to credential module authors: new() is called during the application's
369 plugin setup phase, which is before the application specific controllers are
370 loaded. The practical upshot of this is that things like $c->model(...) will
371 not function as expected.
373 =head2 authenticate( $authinfo, $c )
375 Try to log a user in, receives a hashref containing authentication information
376 as the first argument, and the current context as the second.
378 =head2 check_password( )