-#!/usr/bin/perl\r
-\r
-package Catalyst::Plugin::Authentication::Credential::Password;\r
-\r
-use strict;\r
-use warnings;\r
-\r
-use Scalar::Util ();\r
-use Catalyst::Exception ();\r
-use Digest ();\r
-\r
-sub login {\r
- my ( $c, $user, $password ) = @_;\r
-\r
- for ( $c->request ) {\r
- $user ||= $_->param("login")\r
- || $_->param("user")\r
- || $_->param("username")\r
- || Catalyst::Exception->throw("Can't determine username for login");\r
-\r
- $password ||= $_->param("password")\r
- || $_->param("passwd")\r
- || $_->param("pass")\r
- || Catalyst::Exception->throw("Can't determine password for login");\r
- }\r
-\r
- $user = $c->get_user($user) || return\r
- unless Scalar::Util::blessed($user)\r
- and $user->isa("Catalyst:::Plugin::Authentication::User");\r
-\r
- if ( $c->_check_password( $user, $password ) ) {\r
- $c->set_authenticated($user);\r
- return 1;\r
- }\r
- else {\r
- return undef;\r
- }\r
-}\r
-\r
-sub _check_password {\r
- my ( $c, $user, $password ) = @_;\r
-\r
- if ( $user->supports(qw/password clear/) ) {\r
- return $user->password eq $password;\r
- }\r
- elsif ( $user->supports(qw/password crypted/) ) {\r
- my $crypted = $user->crypted_password;\r
- return $crypted eq crypt( $password, $crypted );\r
- }\r
- elsif ( $user->supports(qw/password hashed/) ) {\r
-\r
- my $d = Digest->new( $user->hash_algorithm );\r
- $d->add( $user->password_pre_salt || '' );\r
- $d->add($password);\r
- $d->add( $user->password_post_salt || '' );\r
-\r
- return $d->digest eq $user->hashed_password;\r
- }\r
- elsif ( $user->supports(qw/password salted_hash/) ) {\r
- require Crypt::SaltedHash;\r
-\r
- my $salt_len =\r
- $user->can("password_salt_len") ? $user->password_salt_len : 0;\r
-\r
- return Crypt::SaltedHash->validate( $user->hashed_password, $password,\r
- $salt_len );\r
- }\r
- elsif ( $user->supports(qw/password self_check/) ) {\r
-\r
- # while somewhat silly, this is to prevent code duplication\r
- return $user->check_password($password);\r
-\r
- }\r
- else {\r
- Catalyst::Exception->throw(\r
- "The user object $user does not support any "\r
- . "known password authentication mechanism." );\r
- }\r
-}\r
-\r
-__PACKAGE__;\r
-\r
-__END__\r
-\r
-=pod\r
-\r
-=head1 NAME\r
-\r
-Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user\r
-with a password.\r
-\r
-=head1 SYNOPSIS\r
-\r
- use Catalyst qw/\r
- Authentication\r
- Authentication::Store::Foo\r
- Authentication::Credential::Password\r
- /;\r
-\r
- sub login : Local {\r
- my ( $self, $c ) = @_;\r
-\r
- $c->login( $c->req->param('login'), $c->req->param('password') );\r
- }\r
-\r
-=head1 DESCRIPTION\r
-\r
-This authentication credential checker takes a user and a password, and tries\r
-various methods of comparing a password based on what the user supports:\r
-\r
-=over 4\r
-\r
-=item clear text password\r
-\r
-If the user has clear a clear text password it will be compared directly.\r
-\r
-=item crypted password\r
-\r
-If UNIX crypt hashed passwords are supported, they will be compared using\r
-perl's builtin C<crypt> function.\r
-\r
-=item hashed password\r
-\r
-If the user object supports hashed passwords, they will be used in conjunction\r
-with L<Digest>.\r
-\r
-=back\r
-\r
-=head1 METHODS\r
-\r
-=over 4\r
-\r
-=item login $user, $password\r
-\r
-=item login\r
-\r
-Try to log a user in.\r
-\r
-C<$user> can be an ID or object. If it isa\r
-L<Catalyst::Plugin::Authentication::User> it will be used as is. Otherwise\r
-C<< $c->get_user >> is used to retrieve it.\r
-\r
-C<$password> is a string.\r
-\r
-If C<$user> or C<$password> are not provided the parameters C<login>, C<user>,\r
-C<username> and C<password>, C<passwd>, C<pass> will be tried instead.\r
-\r
-=back\r
-\r
-=head1 SUPPORTING THIS PLUGIN\r
-\r
-=head2 Clear Text Passwords\r
-\r
-Predicate:\r
-\r
- $user->supports(qw/password clear/);\r
-\r
-Expected methods:\r
-\r
-=over 4\r
-\r
-=item password\r
-\r
-Returns the user's clear text password as a string to be compared with C<eq>.\r
-\r
-=back\r
-\r
-=head2 Crypted Passwords\r
-\r
-Predicate:\r
-\r
- $user->supports(qw/password crypted/);\r
-\r
-Expected methods:\r
-\r
-=over 4\r
-\r
-=item crypted_password\r
-\r
-Return's the user's crypted password as a string, with the salt as the first two chars.\r
-\r
-=back\r
-\r
-=head2 Hashed Passwords\r
-\r
-Predicate:\r
-\r
- $user->supports(qw/password hashed/);\r
-\r
-Expected methods:\r
-\r
-=over 4\r
-\r
-=item hashed_password\r
-\r
-Return's the hash of the user's password as B<binary>.\r
-\r
-=item hash_algorithm\r
-\r
-Returns a string suitable for feeding into L<Digest/new>.\r
-\r
-=item password_pre_salt\r
-\r
-=item password_post_salt\r
-\r
-Returns a string to be hashed before/after the user's password. Typically only\r
-a pre-salt is used.\r
-\r
-=head2 Crypt::SaltedHash Passwords\r
-\r
-Predicate:\r
-\r
- $user->supports(qw/password salted_hash/);\r
-\r
-Expected methods:\r
-\r
-=over 4\r
-\r
-=item hashed_password\r
-\r
-Return's the hash of the user's password as returned from L<Crypt-SaltedHash>->generate.\r
-\r
-=back\r
-\r
-Optional methods:\r
-\r
-=over 4\r
-\r
-=item password_salt_len\r
-\r
-Returns the length of salt used to generate the salted hash.\r
-\r
-=back\r
-\r
-=cut\r
-\r
-\r
+#!/usr/bin/perl
+
+package Catalyst::Plugin::Authentication::Credential::Password;
+
+use strict;
+use warnings;
+
+use Scalar::Util ();
+use Catalyst::Exception ();
+use Digest ();
+
+sub new {
+ my ($class, $config, $app) = @_;
+
+ my $self = { %{$config} };
+ $self->{'password_field'} ||= 'password';
+ $self->{'password_type'} ||= 'clear';
+ $self->{'password_hash_type'} ||= 'SHA-1';
+
+ if (!grep /$$self{'password_type'}/, ('clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
+ Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->{'password_type'});
+ }
+
+ bless $self, $class;
+}
+
+sub authenticate {
+ my ( $self, $c, $authstore, $authinfo ) = @_;
+
+ my $user_obj = $authstore->find_user($authinfo, $c);
+ if ($user_obj) {
+ if ($self->check_password($user_obj, $authinfo)) {
+ return $user_obj;
+ }
+ } else {
+ $c->log->debug("Unable to locate user matching user info provided");
+ return;
+ }
+}
+
+sub check_password {
+ my ( $self, $user, $authinfo ) = @_;
+
+ if ($self->{'password_type'} eq 'self_check') {
+ return $user->check_password($authinfo->{$self->{'password_field'}});
+ } else {
+ my $password = $authinfo->{$self->{'password_field'}};
+ my $storedpassword = $user->get($self->{'password_field'});
+
+ if ($self->{password_type} eq 'clear') {
+ return $password eq $storedpassword;
+ } elsif ($self->{'password_type'} eq 'crypted') {
+ return $storedpassword eq crypt( $password, $storedpassword );
+ } elsif ($self->{'password_type'} eq 'salted_hash') {
+ require Crypt::SaltedHash;
+ my $salt_len = $self->{'password_salt_len'} ? $self->{'password_salt_len'} : 0;
+ return Crypt::SaltedHash->validate( $storedpassword, $password,
+ $salt_len );
+ } elsif ($self->{'password_type'} eq 'hashed') {
+
+ my $d = Digest->new( $self->{'password_hash_type'} );
+ $d->add( $self->{'password_pre_salt'} || '' );
+ $d->add($password);
+ $d->add( $self->{'password_post_salt'} || '' );
+
+ my $computed = $d->clone()->digest;
+ my $b64computed = $d->clone()->b64digest;
+ return ( ( $computed eq $storedpassword )
+ || ( unpack( "H*", $computed ) eq $storedpassword )
+ || ( $b64computed eq $storedpassword)
+ || ( $b64computed.'=' eq $storedpassword) );
+ }
+ }
+}
+
+## BACKWARDS COMPATIBILITY - all subs below here are deprecated
+## They are here for compatibility with older modules that use / inherit from C::P::A::Password
+## login()'s existance relies rather heavily on the fact that Credential::Password
+## is being used as a credential. This may not be the case. This is only here
+## for backward compatibility. It will go away in a future version
+## login should not be used in new applications.
+
+sub login {
+ my ( $c, $user, $password, @rest ) = @_;
+
+ unless (
+ defined($user)
+ or
+ $user = $c->request->param("login")
+ || $c->request->param("user")
+ || $c->request->param("username")
+ ) {
+ $c->log->debug(
+ "Can't login a user without a user object or user ID param")
+ if $c->debug;
+ return;
+ }
+
+ unless (
+ defined($password)
+ or
+ $password = $c->request->param("password")
+ || $c->request->param("passwd")
+ || $c->request->param("pass")
+ ) {
+ $c->log->debug("Can't login a user without a password")
+ if $c->debug;
+ return;
+ }
+
+ unless ( Scalar::Util::blessed($user)
+ and $user->isa("Catalyst::Plugin::Authentication::User") )
+ {
+ if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
+ $user = $user_obj;
+ }
+ else {
+ $c->log->debug("User '$user' doesn't exist in the default store")
+ if $c->debug;
+ return;
+ }
+ }
+
+ if ( $c->_check_password( $user, $password ) ) {
+ $c->set_authenticated($user);
+ $c->log->debug("Successfully authenticated user '$user'.")
+ if $c->debug;
+ return 1;
+ }
+ else {
+ $c->log->debug(
+ "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
+ if $c->debug;
+ return;
+ }
+
+}
+
+## also deprecated. Here for compatibility with older credentials which do not inherit from C::P::A::Password
+sub _check_password {
+ my ( $c, $user, $password ) = @_;
+
+ if ( $user->supports(qw/password clear/) ) {
+ return $user->password eq $password;
+ }
+ elsif ( $user->supports(qw/password crypted/) ) {
+ my $crypted = $user->crypted_password;
+ return $crypted eq crypt( $password, $crypted );
+ }
+ elsif ( $user->supports(qw/password hashed/) ) {
+
+ my $d = Digest->new( $user->hash_algorithm );
+ $d->add( $user->password_pre_salt || '' );
+ $d->add($password);
+ $d->add( $user->password_post_salt || '' );
+
+ my $stored = $user->hashed_password;
+ my $computed = $d->clone()->digest;
+ my $b64computed = $d->clone()->b64digest;
+
+ return ( ( $computed eq $stored )
+ || ( unpack( "H*", $computed ) eq $stored )
+ || ( $b64computed eq $stored)
+ || ( $b64computed.'=' eq $stored) );
+ }
+ elsif ( $user->supports(qw/password salted_hash/) ) {
+ require Crypt::SaltedHash;
+
+ my $salt_len =
+ $user->can("password_salt_len") ? $user->password_salt_len : 0;
+
+ return Crypt::SaltedHash->validate( $user->hashed_password, $password,
+ $salt_len );
+ }
+ elsif ( $user->supports(qw/password self_check/) ) {
+
+ # while somewhat silly, this is to prevent code duplication
+ return $user->check_password($password);
+
+ }
+ else {
+ Catalyst::Exception->throw(
+ "The user object $user does not support any "
+ . "known password authentication mechanism." );
+ }
+}
+
+__PACKAGE__;
+
+__END__
+
+=pod
+
+=head1 NAME
+
+Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user
+with a password.
+
+=head1 SYNOPSIS
+
+ use Catalyst qw/
+ Authentication
+ Authentication::Store::Foo
+ Authentication::Credential::Password
+ /;
+
+ package MyApp::Controller::Auth;
+
+ # *** NOTE ***
+ # if you place an action named 'login' in your application's root (as
+ # opposed to inside a controller) the following snippet will recurse,
+ # giving you lots of grief.
+ # never name actions in the root controller after plugin methods - use
+ # controllers and : Global instead.
+
+ sub login : Local {
+ my ( $self, $c ) = @_;
+
+ $c->login( $c->req->param('username'), $c->req->param('password') );
+ }
+
+=head1 DESCRIPTION
+
+This authentication credential checker takes a username (or userid) and a
+password, and tries various methods of comparing a password based on what
+the chosen store's user objects support:
+
+=over 4
+
+=item clear text password
+
+If the user has clear a clear text password it will be compared directly.
+
+=item crypted password
+
+If UNIX crypt hashed passwords are supported, they will be compared using
+perl's builtin C<crypt> function.
+
+=item hashed password
+
+If the user object supports hashed passwords, they will be used in conjunction
+with L<Digest>.
+
+=back
+
+=head1 METHODS
+
+=over 4
+
+=item login $username, $password
+
+Try to log a user in.
+
+C<$username> can be a string (e.g. retrieved from a form) or an object.
+If the object is a L<Catalyst::Plugin::Authentication::User> it will be used
+as is. Otherwise C<< $c->get_user >> is used to retrieve it.
+
+C<$password> is a string.
+
+If C<$username> or C<$password> are not provided, the query parameters
+C<login>, C<user>, C<username> and C<password>, C<passwd>, C<pass> will
+be tried instead.
+
+=back
+
+=head1 RELATED USAGE
+
+After the user is logged in, the user object for the current logged in user
+can be retrieved from the context using the C<< $c->user >> method.
+
+The current user can be logged out again by calling the C<< $c->logout >>
+method.
+
+=head1 SUPPORTING THIS PLUGIN
+
+For a User class to support credential verification using this plugin, it
+needs to indicate what sort of password a given user supports
+by implementing the C<supported_features> method in one or many of the
+following ways:
+
+=head2 Clear Text Passwords
+
+Predicate:
+
+ $user->supported_features(qw/password clear/);
+
+Expected methods:
+
+=over 4
+
+=item password
+
+Returns the user's clear text password as a string to be compared with C<eq>.
+
+=back
+
+=head2 Crypted Passwords
+
+Predicate:
+
+ $user->supported_features(qw/password crypted/);
+
+Expected methods:
+
+=over 4
+
+=item crypted_password
+
+Return's the user's crypted password as a string, with the salt as the first two chars.
+
+=back
+
+=head2 Hashed Passwords
+
+Predicate:
+
+ $user->supported_features(qw/password hashed/);
+
+Expected methods:
+
+=over 4
+
+=item hashed_password
+
+Return's the hash of the user's password as B<binary>.
+
+=item hash_algorithm
+
+Returns a string suitable for feeding into L<Digest/new>.
+
+=item password_pre_salt
+
+=item password_post_salt
+
+Returns a string to be hashed before/after the user's password. Typically only
+a pre-salt is used.
+
+=back
+
+=head2 Crypt::SaltedHash Passwords
+
+Predicate:
+
+ $user->supported_features(qw/password salted_hash/);
+
+Expected methods:
+
+=over 4
+
+=item hashed_password
+
+Returns the hash of the user's password as returned from L<Crypt-SaltedHash>->generate.
+
+=back
+
+Optional methods:
+
+=over 4
+
+=item password_salt_len
+
+Returns the length of salt used to generate the salted hash.
+
+=back
+
+=cut
+
+