X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FCredential%2FHTTP.pm;h=b2234b5a4bb31127a44ad029ea87cf72b67da09c;hb=60dd48a6bea236e5ceccb78c37b12f788c30129d;hp=756940bbf5d3afbbefdf57e8711e9525134d79a9;hpb=6cd8c8c7d08ee9846718912d2733dec956341eee;p=catagits%2FCatalyst-Authentication-Credential-HTTP.git diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm index 756940b..b2234b5 100644 --- a/lib/Catalyst/Authentication/Credential/HTTP.pm +++ b/lib/Catalyst/Authentication/Credential/HTTP.pm @@ -9,16 +9,25 @@ use URI::Escape (); use Catalyst (); use Digest::MD5 (); -BEGIN { - __PACKAGE__->mk_accessors(qw/_config realm/); -} - -our $VERSION = "1.005"; +__PACKAGE__->mk_accessors(qw/ + _config + authorization_required_message + password_field + username_field + type + realm + algorithm + use_uri_for +/); + +our $VERSION = '1.010'; sub new { my ($class, $config, $app, $realm) = @_; - my $self = { _config => $config, _debug => $app->debug }; + $config->{username_field} ||= 'username'; + # _config is shity back-compat with our base class. + my $self = { %$config, _config => $config, _debug => $app->debug ? 1 : 0 }; bless $self, $class; $self->realm($realm); @@ -29,11 +38,12 @@ sub new { sub init { my ($self) = @_; - my $type = $self->_config->{'type'} ||= 'any'; + my $type = $self->type || 'any'; if (!grep /$type/, ('basic', 'digest', 'any')) { Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type); } + $self->type($type); } sub authenticate { @@ -58,15 +68,22 @@ sub authenticate_basic { my $headers = $c->req->headers; if ( my ( $username, $password ) = $headers->authorization_basic ) { - my $user_obj = $realm->find_user( { username => $username }, $c); - if (ref($user_obj)) { - if ($self->check_password($user_obj, {$self->_config->{password_field} => $password})) { - $c->set_authenticated($user_obj); + my $user_obj = $realm->find_user( { $self->username_field => $username }, $c); + if (ref($user_obj)) { + my $opts = {}; + $opts->{$self->password_field} = $password + if $self->password_field; + if ($self->check_password($user_obj, $opts)) { return $user_obj; } - } - else { - $c->log->debug("Unable to locate user matching user info provided") if $c->debug; + else { + $c->log->debug("Password mismatch!") if $c->debug; + return; + } + } + else { + $c->log->debug("Unable to locate user matching user info provided") + if $c->debug; return; } } @@ -97,7 +114,7 @@ sub authenticate_digest { $c->log->debug('Checking authentication parameters.') if $c->debug; - my $uri = '/' . $c->request->path; + my $uri = $c->request->uri->path_query; my $algorithm = $res{algorithm} || 'MD5'; my $nonce_count = '0x' . $res{nc}; @@ -122,12 +139,12 @@ sub authenticate_digest { my $username = $res{username}; - my $user; + my $user_obj; - unless ( $user = $auth_info->{user} ) { - $user = $realm->find_user( { username => $username }, $c); + unless ( $user_obj = $auth_info->{user} ) { + $user_obj = $realm->find_user( { $self->username_field => $username }, $c); } - unless ($user) { # no user, no authentication + unless ($user_obj) { # no user, no authentication $c->log->debug("Unable to locate user matching user info provided") if $c->debug; return; } @@ -146,12 +163,12 @@ sub authenticate_digest { # the idea of the for loop: # if we do not want to store the plain password in our user store, # we can store md5_hex("$username:$realm:$password") instead - my $password_field = $self->_config->{password_field}; + my $password_field = $self->password_field; for my $r ( 0 .. 1 ) { # calculate H(A1) as per spec - my $A1_digest = $r ? $user->$password_field() : do { + my $A1_digest = $r ? $user_obj->$password_field() : do { $ctx = Digest::MD5->new; - $ctx->add( join( ':', $username, $realm->name, $user->$password_field() ) ); + $ctx->add( join( ':', $username, $realm->name, $user_obj->$password_field() ) ); $ctx->hexdigest; }; if ( $nonce->algorithm eq 'MD5-sess' ) { @@ -169,8 +186,7 @@ sub authenticate_digest { $c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque, $nonce ); if ($rq_digest eq $res{response}) { - $c->set_authenticated($user); - return 1; + return $user_obj; } } } @@ -187,7 +203,7 @@ sub _check_cache { sub _is_http_auth_type { my ( $self, $type ) = @_; - my $cfgtype = lc( $self->_config->{'type'} || 'any' ); + my $cfgtype = lc( $self->type ); return 1 if $cfgtype eq 'any' || $cfgtype eq lc $type; return 0; } @@ -197,10 +213,10 @@ sub authorization_required_response { $c->res->status(401); $c->res->content_type('text/plain'); - if (exists $self->_config->{authorization_required_message}) { + if (exists $self->{authorization_required_message}) { # If you set the key to undef, don't stamp on the body. - $c->res->body($self->_config->{authorization_required_message}) - if defined $c->res->body($self->_config->{authorization_required_message}); + $c->res->body($self->authorization_required_message) + if defined $self->authorization_required_message; } else { $c->res->body('Authorization required.'); @@ -267,7 +283,7 @@ sub _build_auth_header_domain { unless ref($domain) && ref($domain) eq "ARRAY"; my @uris = - $self->_config->{use_uri_for} + $self->use_uri_for ? ( map { $c->uri_for($_) } @$domain ) : ( map { URI::Escape::uri_escape($_) } @$domain ); @@ -316,7 +332,7 @@ sub _digest_auth_nonce { my $nonce = $package->new; - if ( my $algorithm = $opts->{algorithm} || $self->_config->{algorithm}) { + if ( my $algorithm = $opts->{algorithm} || $self->algorithm) { $nonce->algorithm( $algorithm ); } @@ -383,6 +399,7 @@ for Catalyst. /; __PACKAGE__->config( authentication => { + default_realm => 'example', realms => { example => { credential => { @@ -406,9 +423,11 @@ for Catalyst. $c->authenticate({ realm => "example" }); # either user gets authenticated or 401 is sent - # Note that the authentication realm sent to the client is overridden - # here, but this does not affect the Catalyst::Authentication::Realm - # used for authentication. + # Note that the authentication realm sent to the client (in the + # RFC 2617 sense) is overridden here, but this *does not* + # effect the Catalyst::Authentication::Realm used for + # authentication - to do that, you need + # $c->authenticate({}, 'otherrealm') do_stuff(); } @@ -562,13 +581,17 @@ Set this to a string to override the default body content "Authorization require =item password_type The type of password returned by the user object. Same usage as in -L +L =item password_field The name of accessor used to retrieve the value of the password field from the user object. Same usage as in L +=item username_field + +The field name that the user's username is mapped into when finding the user from the realm. Defaults to 'username'. + =item use_uri_for If this configuration key has a true value, then the domain(s) for the authorization header will be @@ -592,7 +615,7 @@ C methods return a hashed or salted version of the password. Updated to current name space and currently maintained by: Tomas Doran C. -Original module by: +Original module by: =over @@ -604,6 +627,18 @@ Original module by: =back +=head1 CONTRIBUTORS + +Patches contributed by: + +=over + +=item Peter Corlett + +=item Devin Austin (dhoss) C + +=back + =head1 SEE ALSO RFC 2617 (or its successors), L, L