#!/usr/bin/perl
package Catalyst::Plugin::Authentication::Credential::Password;
+use base qw/Class::Accessor::Fast/;
use strict;
use warnings;
use Catalyst::Exception ();
use Digest ();
+BEGIN {
+ __PACKAGE__->mk_accessors(qw/_config/);
+}
+
sub new {
my ($class, $config, $app) = @_;
- my $self = { %{$config} };
- $self->{'password_field'} ||= 'password';
- $self->{'password_type'} ||= 'clear';
- $self->{'password_hash_type'} ||= 'SHA-1';
+ my $self = { _config => $config };
+ bless $self, $class;
+
+ $self->_config->{'password_field'} ||= 'password';
+ $self->_config->{'password_type'} ||= 'clear';
+ $self->_config->{'password_hash_type'} ||= 'SHA-1';
- if (!grep /$$self{'password_type'}/, ('clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
- Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->{'password_type'});
+ my $passwordtype = $self->_config->{'password_type'};
+ if (!grep /$passwordtype/, ('clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
+ Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
}
-
- bless $self, $class;
+ return $self;
}
sub authenticate {
my ( $self, $c, $authstore, $authinfo ) = @_;
- my $user_obj = $authstore->find_user($authinfo, $c);
- if ($user_obj) {
+ ## because passwords may be in a hashed format, we have to make sure that we remove the
+ ## password_field before we pass it to the user routine, as some auth modules use
+ ## all data passed to them to find a matching user...
+ my $userfindauthinfo = {%{$authinfo}};
+ delete($userfindauthinfo->{$self->_config->{'password_field'}});
+
+ my $user_obj = $authstore->find_user($userfindauthinfo, $c);
+ if (ref($user_obj)) {
if ($self->check_password($user_obj, $authinfo)) {
return $user_obj;
}
sub check_password {
my ( $self, $user, $authinfo ) = @_;
- if ($self->{'password_type'} eq 'self_check') {
- return $user->check_password($authinfo->{$self->{'password_field'}});
+ if ($self->_config->{'password_type'} eq 'self_check') {
+ return $user->check_password($authinfo->{$self->_config->{'password_field'}});
} else {
- my $password = $authinfo->{$self->{'password_field'}};
- my $storedpassword = $user->get($self->{'password_field'});
+ my $password = $authinfo->{$self->_config->{'password_field'}};
+ my $storedpassword = $user->get($self->_config->{'password_field'});
- if ($self->{password_type} eq 'clear') {
+ if ($self->_config->{password_type} eq 'clear') {
return $password eq $storedpassword;
- } elsif ($self->{'password_type'} eq 'crypted') {
+ } elsif ($self->_config->{'password_type'} eq 'crypted') {
return $storedpassword eq crypt( $password, $storedpassword );
- } elsif ($self->{'password_type'} eq 'salted_hash') {
+ } elsif ($self->_config->{'password_type'} eq 'salted_hash') {
require Crypt::SaltedHash;
- my $salt_len = $self->{'password_salt_len'} ? $self->{'password_salt_len'} : 0;
+ my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
return Crypt::SaltedHash->validate( $storedpassword, $password,
$salt_len );
- } elsif ($self->{'password_type'} eq 'hashed') {
+ } elsif ($self->_config->{'password_type'} eq 'hashed') {
- my $d = Digest->new( $self->{'password_hash_type'} );
- $d->add( $self->{'password_pre_salt'} || '' );
+ my $d = Digest->new( $self->_config->{'password_hash_type'} );
+ $d->add( $self->_config->{'password_pre_salt'} || '' );
$d->add($password);
- $d->add( $self->{'password_post_salt'} || '' );
+ $d->add( $self->_config->{'password_post_salt'} || '' );
my $computed = $d->clone()->digest;
my $b64computed = $d->clone()->b64digest;
use Catalyst qw/
Authentication
- Authentication::Store::Foo
- Authentication::Credential::Password
/;
package MyApp::Controller::Auth;
- # *** NOTE ***
- # if you place an action named 'login' in your application's root (as
- # opposed to inside a controller) the following snippet will recurse,
- # giving you lots of grief.
- # never name actions in the root controller after plugin methods - use
- # controllers and : Global instead.
-
sub login : Local {
my ( $self, $c ) = @_;
- $c->login( $c->req->param('username'), $c->req->param('password') );
+ $c->authenticate( { username => $c->req->param('username'),
+ password => $c->req->param('password') });
}
=head1 DESCRIPTION
-This authentication credential checker takes a username (or userid) and a
-password, and tries various methods of comparing a password based on what
-the chosen store's user objects support:
-
-=over 4
-
-=item clear text password
-
-If the user has clear a clear text password it will be compared directly.
-
-=item crypted password
-
-If UNIX crypt hashed passwords are supported, they will be compared using
-perl's builtin C<crypt> function.
-
-=item hashed password
-
-If the user object supports hashed passwords, they will be used in conjunction
-with L<Digest>.
-
-=back
-
-=head1 METHODS
-
-=over 4
-
-=item login $username, $password
-
-Try to log a user in.
-
-C<$username> can be a string (e.g. retrieved from a form) or an object.
-If the object is a L<Catalyst::Plugin::Authentication::User> it will be used
-as is. Otherwise C<< $c->get_user >> is used to retrieve it.
+This authentication credential checker takes authentication information
+(most often a username) and a password, and attempts to validate the password
+provided against the user retrieved from the store.
-C<$password> is a string.
+=head1 CONFIGURATION
-If C<$username> or C<$password> are not provided, the query parameters
-C<login>, C<user>, C<username> and C<password>, C<passwd>, C<pass> will
-be tried instead.
+ # example
+ __PACKAGE__->config->{authentication} =
+ {
+ default_realm => 'members',
+ realms => {
+ members => {
+
+ credential => {
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'hashed',
+ password_hash_type => 'SHA-1'
+ },
+ ...
-=back
-=head1 RELATED USAGE
+The password module is capable of working with several different password
+encryption/hashing algorithms. The one the module uses is determined by the
+credential configuration.
-After the user is logged in, the user object for the current logged in user
-can be retrieved from the context using the C<< $c->user >> method.
+=over 4
-The current user can be logged out again by calling the C<< $c->logout >>
-method.
+=item class
-=head1 SUPPORTING THIS PLUGIN
+The classname used for Credential. This is part of
+L<Catalyst::Plugin::Authentication> and is the method by which
+Catalyst::Plugin::Authentication::Credential::Password is loaded as the
+credential validator. For this module to be used, this must be set to
+'Password'.
-For a User class to support credential verification using this plugin, it
-needs to indicate what sort of password a given user supports
-by implementing the C<supported_features> method in one or many of the
-following ways:
+=item password_field
-=head2 Clear Text Passwords
+The field in the user object that contains the password. This will vary
+depending on the storage class used, but is most likely something like
+'password'. In fact, this is so common that if this is left out of the config,
+it defaults to 'password'. This field is obtained from the user object using
+the get() method. Essentially: $user->get('passwordfieldname');
-Predicate:
+=item password_type
- $user->supported_features(qw/password clear/);
+This sets the password type. Often passwords are stored in crypted or hashed
+formats. In order for the password module to verify the plaintext password
+passed in, it must be told what format the password will be in when it is retreived
+from the user object. The supported options are:
-Expected methods:
+=over 8
-=over 4
+=item clear
-=item password
+The password in user is in clear text and will be compared directly.
-Returns the user's clear text password as a string to be compared with C<eq>.
+=item self_check
-=back
+This option indicates that the password should be passed to the check_password()
+routine on the user object returned from the store.
-=head2 Crypted Passwords
+=item crypted
-Predicate:
+The password in user is in UNIX crypt hashed format.
- $user->supported_features(qw/password crypted/);
+=item salted_hash
-Expected methods:
+The password in user is in salted hash format, and will be validated
+using L<Crypt::SaltedHash>. If this password type is selected, you should
+also provide the B<password_salt_len> config element to define the salt length.
-=over 4
+=item hashed
-=item crypted_password
-
-Return's the user's crypted password as a string, with the salt as the first two chars.
-
-=back
-
-=head2 Hashed Passwords
-
-Predicate:
-
- $user->supported_features(qw/password hashed/);
-
-Expected methods:
-
-=over 4
+If the user object supports hashed passwords, they will be used in conjunction
+with L<Digest>. The following config elements affect the hashed configuration:
-=item hashed_password
+=over 8
-Return's the hash of the user's password as B<binary>.
+=item password_hash_type
-=item hash_algorithm
+The hash type used, passed directly to L<Digest/new>.
-Returns a string suitable for feeding into L<Digest/new>.
+=item password_pre_salt
-=item password_pre_salt
+Any pre-salt data to be passed to L<Digest/add> before processing the password.
=item password_post_salt
-Returns a string to be hashed before/after the user's password. Typically only
-a pre-salt is used.
+Any post-salt data to be passed to L<Digest/add> after processing the password.
=back
-=head2 Crypt::SaltedHash Passwords
-
-Predicate:
-
- $user->supported_features(qw/password salted_hash/);
+=back
-Expected methods:
+=back
-=over 4
+=head1 USAGE
-=item hashed_password
+The Password credential module is very simple to use. Once configured as indicated
+above, authenticating using this module is simply a matter of calling $c->authenticate()
+with an authinfo hashref that includes the B<password> element. The password element should
+contain the password supplied by the user to be authenticated, in clear text. The other
+information supplied in the auth hash is ignored by the Password module, and simply passed
+to the auth store to be used to retrieve the user. An example call follows:
-Returns the hash of the user's password as returned from L<Crypt-SaltedHash>->generate.
+ if ($c->authenticate({ username => $username,
+ password => $password} )) {
+ # authentication successful
+ } else {
+ # authentication failed
+ }
-=back
+=head1 METHODS
-Optional methods:
+There are no publicly exported routines in the Password module (or indeed in
+most credential modules.) However, below is a description of the routines
+required by L<Catalyst::Plugin::Authentication> for all credential modules.
=over 4
-=item password_salt_len
+=item new ( $config, $app )
-Returns the length of salt used to generate the salted hash.
+Instantiate a new Password object using the configuration hash provided in
+$config. A reference to the application is provided as the second argument.
+Note to credential module authors: new() is called during the application's
+plugin setup phase, which is before the application specific controllers are
+loaded. The practical upshot of this is that things like $c->model(...) will
+not function as expected.
-=back
-
-=cut
+=item authenticate ( $authinfo, $c )
+Try to log a user in, receives a hashref containing authentication information
+as the first argument, and the current context as the second.
+=back