3 package Catalyst::Plugin::Authentication::Credential::Password;
9 use Catalyst::Exception ();
13 my ( $c, $user, $password, @rest ) = @_;
16 unless ( $user ||= $_->param("login")
18 || $_->param("username") )
21 "Can't login a user without a user object or user ID param")
26 unless ( $password ||= $_->param("password")
27 || $_->param("passwd")
28 || $_->param("pass") )
30 $c->log->debug("Can't login a user without a password")
36 unless ( Scalar::Util::blessed($user)
37 and $user->isa("Catalyst::Plugin::Authentication::User") )
39 if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
43 $c->log->debug("User '$user' doesn't exist in the default store")
49 if ( $c->_check_password( $user, $password ) ) {
50 $c->set_authenticated($user);
51 $c->log->debug("Successfully authenticated user '$user'.")
57 "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
64 my ( $c, $user, $password ) = @_;
66 if ( $user->supports(qw/password clear/) ) {
67 return $user->password eq $password;
69 elsif ( $user->supports(qw/password crypted/) ) {
70 my $crypted = $user->crypted_password;
71 return $crypted eq crypt( $password, $crypted );
73 elsif ( $user->supports(qw/password hashed/) ) {
75 my $d = Digest->new( $user->hash_algorithm );
76 $d->add( $user->password_pre_salt || '' );
78 $d->add( $user->password_post_salt || '' );
80 my $stored = $user->hashed_password;
81 my $computed = $d->clone()->digest;
82 my $b64computed = $d->clone()->b64digest;
84 return ( ( $computed eq $stored )
85 || ( unpack( "H*", $computed ) eq $stored )
86 || ( $b64computed eq $stored)
87 || ( $b64computed.'=' eq $stored) );
89 elsif ( $user->supports(qw/password salted_hash/) ) {
90 require Crypt::SaltedHash;
93 $user->can("password_salt_len") ? $user->password_salt_len : 0;
95 return Crypt::SaltedHash->validate( $user->hashed_password, $password,
98 elsif ( $user->supports(qw/password self_check/) ) {
100 # while somewhat silly, this is to prevent code duplication
101 return $user->check_password($password);
105 Catalyst::Exception->throw(
106 "The user object $user does not support any "
107 . "known password authentication mechanism." );
119 Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
126 Authentication::Store::Foo
127 Authentication::Credential::Password
130 package MyApp::Controller::Auth;
133 # if you place an action named 'login' in your application's root (as
134 # opposed to inside a controller) the following snippet will recurse,
135 # giving you lots of grief.
136 # never name actions in the root controller after plugin methods - use
137 # controllers and : Global instead.
140 my ( $self, $c ) = @_;
142 $c->login( $c->req->param('username'), $c->req->param('password') );
147 This authentication credential checker takes a username (or userid) and a
148 password, and tries various methods of comparing a password based on what
149 the chosen store's user objects support:
153 =item clear text password
155 If the user has clear a clear text password it will be compared directly.
157 =item crypted password
159 If UNIX crypt hashed passwords are supported, they will be compared using
160 perl's builtin C<crypt> function.
162 =item hashed password
164 If the user object supports hashed passwords, they will be used in conjunction
173 =item login $username, $password
175 Try to log a user in.
177 C<$username> can be a string (e.g. retrieved from a form) or an object.
178 If the object is a L<Catalyst::Plugin::Authentication::User> it will be used
179 as is. Otherwise C<< $c->get_user >> is used to retrieve it.
181 C<$password> is a string.
183 If C<$username> or C<$password> are not provided, the query parameters
184 C<login>, C<user>, C<username> and C<password>, C<passwd>, C<pass> will
191 After the user is logged in, the user object for the current logged in user
192 can be retrieved from the context using the C<< $c->user >> method.
194 The current user can be logged out again by calling the C<< $c->logout >>
197 =head1 SUPPORTING THIS PLUGIN
199 For a User class to support credential verification using this plugin, it
200 needs to indicate what sort of password a given user supports
201 by implementing the C<supported_features> method in one or many of the
204 =head2 Clear Text Passwords
208 $user->supported_features(qw/password clear/);
216 Returns the user's clear text password as a string to be compared with C<eq>.
220 =head2 Crypted Passwords
224 $user->supported_features(qw/password crypted/);
230 =item crypted_password
232 Return's the user's crypted password as a string, with the salt as the first two chars.
236 =head2 Hashed Passwords
240 $user->supported_features(qw/password hashed/);
246 =item hashed_password
248 Return's the hash of the user's password as B<binary>.
252 Returns a string suitable for feeding into L<Digest/new>.
254 =item password_pre_salt
256 =item password_post_salt
258 Returns a string to be hashed before/after the user's password. Typically only
263 =head2 Crypt::SaltedHash Passwords
267 $user->supported_features(qw/password salted_hash/);
273 =item hashed_password
275 Returns the hash of the user's password as returned from L<Crypt-SaltedHash>->generate.
283 =item password_salt_len
285 Returns the length of salt used to generate the salted hash.