1 package Catalyst::Plugin::Authentication::Credential::Password;
2 use base qw/Class::Accessor::Fast/;
8 use Catalyst::Exception ();
12 __PACKAGE__->mk_accessors(qw/_config/);
16 my ($class, $config, $app) = @_;
18 my $self = { _config => $config };
21 $self->_config->{'password_field'} ||= 'password';
22 $self->_config->{'password_type'} ||= 'clear';
23 $self->_config->{'password_hash_type'} ||= 'SHA-1';
25 my $passwordtype = $self->_config->{'password_type'};
26 if (!grep /$passwordtype/, ('none', 'clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
27 Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
33 my ( $self, $c, $authstore, $authinfo ) = @_;
35 ## because passwords may be in a hashed format, we have to make sure that we remove the
36 ## password_field before we pass it to the user routine, as some auth modules use
37 ## all data passed to them to find a matching user...
38 my $userfindauthinfo = {%{$authinfo}};
39 delete($userfindauthinfo->{$self->_config->{'password_field'}});
41 my $user_obj = $authstore->find_user($userfindauthinfo, $c);
43 if ($self->check_password($user_obj, $authinfo)) {
47 $c->log->debug("Unable to locate user matching user info provided");
53 my ( $self, $user, $authinfo ) = @_;
55 if ($self->_config->{'password_type'} eq 'self_check') {
56 return $user->check_password($authinfo->{$self->_config->{'password_field'}});
58 my $password = $authinfo->{$self->_config->{'password_field'}};
59 my $storedpassword = $user->get($self->_config->{'password_field'});
61 if ($self->_config->{'password_type'} eq 'none') {
63 } elsif ($self->_config->{'password_type'} eq 'clear') {
64 return $password eq $storedpassword;
65 } elsif ($self->_config->{'password_type'} eq 'crypted') {
66 return $storedpassword eq crypt( $password, $storedpassword );
67 } elsif ($self->_config->{'password_type'} eq 'salted_hash') {
68 require Crypt::SaltedHash;
69 my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
70 return Crypt::SaltedHash->validate( $storedpassword, $password,
72 } elsif ($self->_config->{'password_type'} eq 'hashed') {
74 my $d = Digest->new( $self->_config->{'password_hash_type'} );
75 $d->add( $self->_config->{'password_pre_salt'} || '' );
77 $d->add( $self->_config->{'password_post_salt'} || '' );
79 my $computed = $d->clone()->digest;
80 my $b64computed = $d->clone()->b64digest;
81 return ( ( $computed eq $storedpassword )
82 || ( unpack( "H*", $computed ) eq $storedpassword )
83 || ( $b64computed eq $storedpassword)
84 || ( $b64computed.'=' eq $storedpassword) );
89 ## BACKWARDS COMPATIBILITY - all subs below here are deprecated
90 ## They are here for compatibility with older modules that use / inherit from C::P::A::Password
91 ## login()'s existance relies rather heavily on the fact that only Credential::Password
92 ## is being used as a credential. This may not be the case. This is only here
93 ## for backward compatibility. It will go away in a future version
94 ## login should not be used in new applications.
97 my ( $c, $user, $password, @rest ) = @_;
102 $user = $c->request->param("login")
103 || $c->request->param("user")
104 || $c->request->param("username")
107 "Can't login a user without a user object or user ID param")
115 $password = $c->request->param("password")
116 || $c->request->param("passwd")
117 || $c->request->param("pass")
119 $c->log->debug("Can't login a user without a password")
124 unless ( Scalar::Util::blessed($user)
125 and $user->isa("Catalyst::Plugin::Authentication::User") )
127 if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
131 $c->log->debug("User '$user' doesn't exist in the default store")
137 if ( $c->_check_password( $user, $password ) ) {
138 $c->set_authenticated($user);
139 $c->log->debug("Successfully authenticated user '$user'.")
145 "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
152 ## also deprecated. Here for compatibility with older credentials which do not inherit from C::P::A::Password
153 sub _check_password {
154 my ( $c, $user, $password ) = @_;
156 if ( $user->supports(qw/password clear/) ) {
157 return $user->password eq $password;
159 elsif ( $user->supports(qw/password crypted/) ) {
160 my $crypted = $user->crypted_password;
161 return $crypted eq crypt( $password, $crypted );
163 elsif ( $user->supports(qw/password hashed/) ) {
165 my $d = Digest->new( $user->hash_algorithm );
166 $d->add( $user->password_pre_salt || '' );
168 $d->add( $user->password_post_salt || '' );
170 my $stored = $user->hashed_password;
171 my $computed = $d->clone()->digest;
172 my $b64computed = $d->clone()->b64digest;
174 return ( ( $computed eq $stored )
175 || ( unpack( "H*", $computed ) eq $stored )
176 || ( $b64computed eq $stored)
177 || ( $b64computed.'=' eq $stored) );
179 elsif ( $user->supports(qw/password salted_hash/) ) {
180 require Crypt::SaltedHash;
183 $user->can("password_salt_len") ? $user->password_salt_len : 0;
185 return Crypt::SaltedHash->validate( $user->hashed_password, $password,
188 elsif ( $user->supports(qw/password self_check/) ) {
190 # while somewhat silly, this is to prevent code duplication
191 return $user->check_password($password);
195 Catalyst::Exception->throw(
196 "The user object $user does not support any "
197 . "known password authentication mechanism." );
209 Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
218 package MyApp::Controller::Auth;
221 my ( $self, $c ) = @_;
223 $c->authenticate( { username => $c->req->param('username'),
224 password => $c->req->param('password') });
229 This authentication credential checker takes authentication information
230 (most often a username) and a password, and attempts to validate the password
231 provided against the user retrieved from the store.
236 __PACKAGE__->config->{authentication} =
238 default_realm => 'members',
244 password_field => 'password',
245 password_type => 'hashed',
246 password_hash_type => 'SHA-1'
251 The password module is capable of working with several different password
252 encryption/hashing algorithms. The one the module uses is determined by the
253 credential configuration.
255 Those who have used L<Catalyst::Plugin::Authentication> prior to the 0.10 release
256 should note that the password field and type information is no longer part
257 of the store configuration and is now part of the Password credential configuration.
263 The classname used for Credential. This is part of
264 L<Catalyst::Plugin::Authentication> and is the method by which
265 Catalyst::Plugin::Authentication::Credential::Password is loaded as the
266 credential validator. For this module to be used, this must be set to
271 The field in the user object that contains the password. This will vary
272 depending on the storage class used, but is most likely something like
273 'password'. In fact, this is so common that if this is left out of the config,
274 it defaults to 'password'. This field is obtained from the user object using
275 the get() method. Essentially: $user->get('passwordfieldname');
279 This sets the password type. Often passwords are stored in crypted or hashed
280 formats. In order for the password module to verify the plaintext password
281 passed in, it must be told what format the password will be in when it is retreived
282 from the user object. The supported options are:
288 No password check is done. An attempt is made to retrieve the user based on
289 the information provided in the $c->authenticate() call. If a user is found,
290 authentication is considered to be successful.
294 The password in user is in clear text and will be compared directly.
298 This option indicates that the password should be passed to the check_password()
299 routine on the user object returned from the store.
303 The password in user is in UNIX crypt hashed format.
307 The password in user is in salted hash format, and will be validated
308 using L<Crypt::SaltedHash>. If this password type is selected, you should
309 also provide the B<password_salt_len> config element to define the salt length.
313 If the user object supports hashed passwords, they will be used in conjunction
314 with L<Digest>. The following config elements affect the hashed configuration:
318 =item password_hash_type
320 The hash type used, passed directly to L<Digest/new>.
322 =item password_pre_salt
324 Any pre-salt data to be passed to L<Digest/add> before processing the password.
326 =item password_post_salt
328 Any post-salt data to be passed to L<Digest/add> after processing the password.
338 The Password credential module is very simple to use. Once configured as
339 indicated above, authenticating using this module is simply a matter of
340 calling $c->authenticate() with an authinfo hashref that includes the
341 B<password> element. The password element should contain the password supplied
342 by the user to be authenticated, in clear text. The other information supplied
343 in the auth hash is ignored by the Password module, and simply passed to the
344 auth store to be used to retrieve the user. An example call follows:
346 if ($c->authenticate({ username => $username,
347 password => $password} )) {
348 # authentication successful
350 # authentication failed
355 There are no publicly exported routines in the Password module (or indeed in
356 most credential modules.) However, below is a description of the routines
357 required by L<Catalyst::Plugin::Authentication> for all credential modules.
361 =item new ( $config, $app )
363 Instantiate a new Password object using the configuration hash provided in
364 $config. A reference to the application is provided as the second argument.
365 Note to credential module authors: new() is called during the application's
366 plugin setup phase, which is before the application specific controllers are
367 loaded. The practical upshot of this is that things like $c->model(...) will
368 not function as expected.
370 =item authenticate ( $authinfo, $c )
372 Try to log a user in, receives a hashref containing authentication information
373 as the first argument, and the current context as the second.