3 package Catalyst::Plugin::Authentication::Credential::Password;
9 use Catalyst::Exception ();
13 my ($class, $config, $app) = @_;
15 my $self = { %{$config} };
16 $self->{'password_field'} ||= 'password';
17 $self->{'password_type'} ||= 'clear';
18 $self->{'password_hash_type'} ||= 'SHA-1';
20 if (!grep /$$self{'password_type'}/, ('clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
21 Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->{'password_type'});
28 my ( $self, $c, $authstore, $authinfo ) = @_;
30 my $user_obj = $authstore->find_user($authinfo, $c);
32 if ($self->check_password($user_obj, $authinfo)) {
36 $c->log->debug("Unable to locate user matching user info provided");
42 my ( $self, $user, $authinfo ) = @_;
44 if ($self->{'password_type'} eq 'self_check') {
45 return $user->check_password($authinfo->{$self->{'password_field'}});
47 my $password = $authinfo->{$self->{'password_field'}};
48 my $storedpassword = $user->get($self->{'password_field'});
50 if ($self->{password_type} eq 'clear') {
51 return $password eq $storedpassword;
52 } elsif ($self->{'password_type'} eq 'crypted') {
53 return $storedpassword eq crypt( $password, $storedpassword );
54 } elsif ($self->{'password_type'} eq 'salted_hash') {
55 require Crypt::SaltedHash;
56 my $salt_len = $self->{'password_salt_len'} ? $self->{'password_salt_len'} : 0;
57 return Crypt::SaltedHash->validate( $storedpassword, $password,
59 } elsif ($self->{'password_type'} eq 'hashed') {
61 my $d = Digest->new( $self->{'password_hash_type'} );
62 $d->add( $self->{'password_pre_salt'} || '' );
64 $d->add( $self->{'password_post_salt'} || '' );
66 my $computed = $d->clone()->digest;
67 my $b64computed = $d->clone()->b64digest;
68 return ( ( $computed eq $storedpassword )
69 || ( unpack( "H*", $computed ) eq $storedpassword )
70 || ( $b64computed eq $storedpassword)
71 || ( $b64computed.'=' eq $storedpassword) );
76 ## BACKWARDS COMPATIBILITY - all subs below here are deprecated
77 ## They are here for compatibility with older modules that use / inherit from C::P::A::Password
78 ## login()'s existance relies rather heavily on the fact that Credential::Password
79 ## is being used as a credential. This may not be the case. This is only here
80 ## for backward compatibility. It will go away in a future version
81 ## login should not be used in new applications.
84 my ( $c, $user, $password, @rest ) = @_;
89 $user = $c->request->param("login")
90 || $c->request->param("user")
91 || $c->request->param("username")
94 "Can't login a user without a user object or user ID param")
102 $password = $c->request->param("password")
103 || $c->request->param("passwd")
104 || $c->request->param("pass")
106 $c->log->debug("Can't login a user without a password")
111 unless ( Scalar::Util::blessed($user)
112 and $user->isa("Catalyst::Plugin::Authentication::User") )
114 if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
118 $c->log->debug("User '$user' doesn't exist in the default store")
124 if ( $c->_check_password( $user, $password ) ) {
125 $c->set_authenticated($user);
126 $c->log->debug("Successfully authenticated user '$user'.")
132 "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
139 ## also deprecated. Here for compatibility with older credentials which do not inherit from C::P::A::Password
140 sub _check_password {
141 my ( $c, $user, $password ) = @_;
143 if ( $user->supports(qw/password clear/) ) {
144 return $user->password eq $password;
146 elsif ( $user->supports(qw/password crypted/) ) {
147 my $crypted = $user->crypted_password;
148 return $crypted eq crypt( $password, $crypted );
150 elsif ( $user->supports(qw/password hashed/) ) {
152 my $d = Digest->new( $user->hash_algorithm );
153 $d->add( $user->password_pre_salt || '' );
155 $d->add( $user->password_post_salt || '' );
157 my $stored = $user->hashed_password;
158 my $computed = $d->clone()->digest;
159 my $b64computed = $d->clone()->b64digest;
161 return ( ( $computed eq $stored )
162 || ( unpack( "H*", $computed ) eq $stored )
163 || ( $b64computed eq $stored)
164 || ( $b64computed.'=' eq $stored) );
166 elsif ( $user->supports(qw/password salted_hash/) ) {
167 require Crypt::SaltedHash;
170 $user->can("password_salt_len") ? $user->password_salt_len : 0;
172 return Crypt::SaltedHash->validate( $user->hashed_password, $password,
175 elsif ( $user->supports(qw/password self_check/) ) {
177 # while somewhat silly, this is to prevent code duplication
178 return $user->check_password($password);
182 Catalyst::Exception->throw(
183 "The user object $user does not support any "
184 . "known password authentication mechanism." );
196 Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
203 Authentication::Store::Foo
204 Authentication::Credential::Password
207 package MyApp::Controller::Auth;
210 # if you place an action named 'login' in your application's root (as
211 # opposed to inside a controller) the following snippet will recurse,
212 # giving you lots of grief.
213 # never name actions in the root controller after plugin methods - use
214 # controllers and : Global instead.
217 my ( $self, $c ) = @_;
219 $c->login( $c->req->param('username'), $c->req->param('password') );
224 This authentication credential checker takes a username (or userid) and a
225 password, and tries various methods of comparing a password based on what
226 the chosen store's user objects support:
230 =item clear text password
232 If the user has clear a clear text password it will be compared directly.
234 =item crypted password
236 If UNIX crypt hashed passwords are supported, they will be compared using
237 perl's builtin C<crypt> function.
239 =item hashed password
241 If the user object supports hashed passwords, they will be used in conjunction
250 =item login $username, $password
252 Try to log a user in.
254 C<$username> can be a string (e.g. retrieved from a form) or an object.
255 If the object is a L<Catalyst::Plugin::Authentication::User> it will be used
256 as is. Otherwise C<< $c->get_user >> is used to retrieve it.
258 C<$password> is a string.
260 If C<$username> or C<$password> are not provided, the query parameters
261 C<login>, C<user>, C<username> and C<password>, C<passwd>, C<pass> will
268 After the user is logged in, the user object for the current logged in user
269 can be retrieved from the context using the C<< $c->user >> method.
271 The current user can be logged out again by calling the C<< $c->logout >>
274 =head1 SUPPORTING THIS PLUGIN
276 For a User class to support credential verification using this plugin, it
277 needs to indicate what sort of password a given user supports
278 by implementing the C<supported_features> method in one or many of the
281 =head2 Clear Text Passwords
285 $user->supported_features(qw/password clear/);
293 Returns the user's clear text password as a string to be compared with C<eq>.
297 =head2 Crypted Passwords
301 $user->supported_features(qw/password crypted/);
307 =item crypted_password
309 Return's the user's crypted password as a string, with the salt as the first two chars.
313 =head2 Hashed Passwords
317 $user->supported_features(qw/password hashed/);
323 =item hashed_password
325 Return's the hash of the user's password as B<binary>.
329 Returns a string suitable for feeding into L<Digest/new>.
331 =item password_pre_salt
333 =item password_post_salt
335 Returns a string to be hashed before/after the user's password. Typically only
340 =head2 Crypt::SaltedHash Passwords
344 $user->supported_features(qw/password salted_hash/);
350 =item hashed_password
352 Returns the hash of the user's password as returned from L<Crypt-SaltedHash>->generate.
360 =item password_salt_len
362 Returns the length of salt used to generate the salted hash.