-#!/usr/bin/perl
-
package Catalyst::Plugin::Authentication::Credential::Password;
use strict;
use warnings;
-use Scalar::Util ();
-use Catalyst::Exception ();
-use Digest ();
+use Catalyst::Authentication::Credential::Password ();
+
+## BACKWARDS COMPATIBILITY - all subs below here are deprecated
+## They are here for compatibility with older modules that use / inherit from C::P::A::Password
+## login()'s existance relies rather heavily on the fact that only Credential::Password
+## is being used as a credential. This may not be the case. This is only here
+## for backward compatibility. It will go away in a future version
+## login should not be used in new applications.
sub login {
- my ( $self, $c, $user, $password ) = @_;
- $user = $c->get_user($user)
- unless Scalar::Util::blessed($user)
- and $user->isa("Catalyst:::Plugin::Authentication::User");
+ my ( $c, $user, $password, @rest ) = @_;
+
+ unless (
+ defined($user)
+ or
+ $user = $c->request->param("login")
+ || $c->request->param("user")
+ || $c->request->param("username")
+ ) {
+ $c->log->debug(
+ "Can't login a user without a user object or user ID param")
+ if $c->debug;
+ return;
+ }
+
+ unless (
+ defined($password)
+ or
+ $password = $c->request->param("password")
+ || $c->request->param("passwd")
+ || $c->request->param("pass")
+ ) {
+ $c->log->debug("Can't login a user without a password")
+ if $c->debug;
+ return;
+ }
+
+ unless ( Scalar::Util::blessed($user)
+ and $user->isa("Catalyst::Authentication::User") )
+ {
+ if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) {
+ $user = $user_obj;
+ }
+ else {
+ $c->log->debug("User '$user' doesn't exist in the default store")
+ if $c->debug;
+ return;
+ }
+ }
if ( $c->_check_password( $user, $password ) ) {
$c->set_authenticated($user);
+ $c->log->debug("Successfully authenticated user '$user'.")
+ if $c->debug;
return 1;
}
else {
- return undef;
+ $c->log->debug(
+ "Failed to authenticate user '$user'. Reason: 'Incorrect password'")
+ if $c->debug;
+ return;
}
+
}
+## also deprecated. Here for compatibility with older credentials which do not inherit from C::P::A::Password
sub _check_password {
my ( $c, $user, $password ) = @_;
-
+
if ( $user->supports(qw/password clear/) ) {
return $user->password eq $password;
}
return $crypted eq crypt( $password, $crypted );
}
elsif ( $user->supports(qw/password hashed/) ) {
+
my $d = Digest->new( $user->hash_algorithm );
$d->add( $user->password_pre_salt || '' );
$d->add($password);
$d->add( $user->password_post_salt || '' );
- return $c->digest eq $user->hashed_password;
+
+ my $stored = $user->hashed_password;
+ my $computed = $d->clone()->digest;
+ my $b64computed = $d->clone()->b64digest;
+
+ return ( ( $computed eq $stored )
+ || ( unpack( "H*", $computed ) eq $stored )
+ || ( $b64computed eq $stored)
+ || ( $b64computed.'=' eq $stored) );
+ }
+ elsif ( $user->supports(qw/password salted_hash/) ) {
+ require Crypt::SaltedHash;
+
+ my $salt_len =
+ $user->can("password_salt_len") ? $user->password_salt_len : 0;
+
+ return Crypt::SaltedHash->validate( $user->hashed_password, $password,
+ $salt_len );
+ }
+ elsif ( $user->supports(qw/password self_check/) ) {
+
+ # while somewhat silly, this is to prevent code duplication
+ return $user->check_password($password);
+
}
else {
Catalyst::Exception->throw(
=head1 NAME
-Catalyst:::Plugin::Authentication::Credential::Password - Authenticate a user
-with a password.
-
-=head1 SYNOPSIS
-
- use Catalyst qw/
- Authentication
- Authentication::Store::Foo
- Authentication::Credential::Password
- /;
-
- sub login : Local {
- my ( $self, $c ) = @_;
-
- $c->login( $c->req->param('login'), $c->req->param('password') );
- }
+Catalyst::Plugin::Authentication::Credential::Password - Compatibility shim
=head1 DESCRIPTION
-This authentication credential checker takes a user and a password, and tries
-various methods of comparing a password based on what the user supports:
-
-=over 4
-
-=item clear text password
-
-If the user has clear a clear text password it will be compared directly.
-
-=item crypted password
-
-If UNIX crypt hashed passwords are supported, they will be compared using
-perl's builtin C<crypt> function.
+THIS IS A COMPATIBILITY SHIM. It allows old configurations of Catalyst
+Authentication to work without code changes.
-=item hashed password
+B<DO NOT USE IT IN ANY NEW CODE!>
-If the user object supports hashed passwords, they will be used in conjunction
-with L<Digest>.
-
-=back
+Please see L<Catalyst::Authentication::Credential::Password> for more information.
=head1 METHODS
-=over 4
-
-=item login $user, $password
-
-Try to log a user in.
-
-$user can be an ID or object. If it isa
-L<Catalyst:::Plugin::Authentication::User> it will be used as is. Otherwise
-C<< $c->get_user >> is used to retrieve it.
-
-$password is a string.
-
-=back
+=head2 login( )
=cut
-
-