X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FCredential%2FHTTP.pm;h=eacc14fd92d9c68781b9a232f97b6fce2b286ee7;hb=e8cb49b7353a5a11ab7b93a3207b04ce62577fb6;hp=7d6d7acf1e096303df926af6d845d12b19df91c3;hpb=513d8ab6f47359066c6e6f6647d04d39badda300;p=catagits%2FCatalyst-Authentication-Credential-HTTP.git

diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm
index 7d6d7ac..eacc14f 100644
--- a/lib/Catalyst/Authentication/Credential/HTTP.pm
+++ b/lib/Catalyst/Authentication/Credential/HTTP.pm
@@ -1,5 +1,5 @@
 package Catalyst::Authentication::Credential::HTTP;
-use base qw/Catalyst::Component/;
+use base qw/Catalyst::Authentication::Credential::Password/;
 
 use strict;
 use warnings;
@@ -13,22 +13,28 @@ BEGIN {
     __PACKAGE__->mk_accessors(qw/_config realm/);
 }
 
-our $VERSION = "1.000";
+our $VERSION = "1.006";
 
 sub new {
     my ($class, $config, $app, $realm) = @_;
     
+    $config->{username_field} ||= 'username';
     my $self = { _config => $config, _debug => $app->debug };
     bless $self, $class;
     
     $self->realm($realm);
     
+    $self->init;
+    return $self;
+}    
+
+sub init {
+    my ($self) = @_;
     my $type = $self->_config->{'type'} ||= 'any';
     
     if (!grep /$type/, ('basic', 'digest', 'any')) {
         Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type);
     }
-    return $self;
 }
 
 sub authenticate {
@@ -53,9 +59,12 @@ sub authenticate_basic {
     my $headers = $c->req->headers;
 
     if ( my ( $username, $password ) = $headers->authorization_basic ) {
-	    my $user_obj = $realm->find_user( { username => $username }, $c);
-	    if (ref($user_obj)) {            
-            if ($user_obj->check_password($password)) {
+	    my $user_obj = $realm->find_user( { $self->_config->{username_field} => $username }, $c);
+	    if (ref($user_obj)) {
+            my $opts = {};
+            $opts->{$self->_config->{password_field}} = $password 
+                if $self->_config->{password_field};            
+            if ($self->check_password($user_obj, $opts)) {
                 $c->set_authenticated($user_obj);
                 return $user_obj;
             }
@@ -120,7 +129,7 @@ sub authenticate_digest {
         my $user;
 
         unless ( $user = $auth_info->{user} ) {
-            $user = $realm->find_user( { username => $username }, $c);
+            $user = $realm->find_user( { $self->_config->{username_field} => $username }, $c);
         }
         unless ($user) {    # no user, no authentication
             $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
@@ -141,12 +150,12 @@ sub authenticate_digest {
         # the idea of the for loop:
         # if we do not want to store the plain password in our user store,
         # we can store md5_hex("$username:$realm:$password") instead
+        my $password_field = $self->_config->{password_field};
         for my $r ( 0 .. 1 ) {
-
             # calculate H(A1) as per spec
-            my $A1_digest = $r ? $user->password : do {
+            my $A1_digest = $r ? $user->$password_field() : do {
                 $ctx = Digest::MD5->new;
-                $ctx->add( join( ':', $username, $realm->name, $user->password ) );
+                $ctx->add( join( ':', $username, $realm->name, $user->$password_field() ) );
                 $ctx->hexdigest;
             };
             if ( $nonce->algorithm eq 'MD5-sess' ) {
@@ -247,10 +256,8 @@ sub _create_basic_auth_response {
 }
 
 sub _build_auth_header_realm {
-    my ( $self ) = @_;    
-
-    if ( my $realm = $self->realm ) {
-        my $realm_name = String::Escape::qprintable($realm->name);
+    my ( $self, $c, $opts ) = @_;    
+    if ( my $realm_name = String::Escape::qprintable($opts->{realm} ? $opts->{realm} : $self->realm->name) ) {
         $realm_name = qq{"$realm_name"} unless $realm_name =~ /^"/;
         return 'realm=' . $realm_name;
     } 
@@ -259,7 +266,6 @@ sub _build_auth_header_realm {
 
 sub _build_auth_header_domain {
     my ( $self, $c, $opts ) = @_;
-
     if ( my $domain = $opts->{domain} ) {
         Catalyst::Exception->throw("domain must be an array reference")
           unless ref($domain) && ref($domain) eq "ARRAY";
@@ -276,9 +282,8 @@ sub _build_auth_header_domain {
 
 sub _build_auth_header_common {
     my ( $self, $c, $opts ) = @_;
-
     return (
-        $self->_build_auth_header_realm(),
+        $self->_build_auth_header_realm($c, $opts),
         $self->_build_auth_header_domain($c, $opts),
     );
 }
@@ -382,11 +387,14 @@ for Catalyst.
     /;
 
     __PACKAGE__->config( authentication => {
+        default_realm => 'example',
         realms => { 
             example => { 
                 credential => { 
                     class => 'HTTP',
                     type  => 'any', # or 'digest' or 'basic'
+                    password_type  => 'clear',
+                    password_field => 'password'
                 },
                 store => {
                     class => 'Minimal',
@@ -403,9 +411,24 @@ for Catalyst.
 
         $c->authenticate({ realm => "example" }); 
         # either user gets authenticated or 401 is sent
+        # Note that the authentication realm sent to the client (in the 
+        # RFC 2617 sense) is overridden here, but this *does not* 
+        # effect the Catalyst::Authentication::Realm used for 
+        # authentication - to do that, you need 
+        # $c->authenticate({}, 'otherrealm')
 
         do_stuff();
     }
+    
+    sub always_auth : Local {
+        my ( $self, $c ) = @_;
+        
+        # Force authorization headers onto the response so that the user
+        # is asked again for authentication, even if they successfully
+        # authenticated.
+        my $realm = $c->get_auth_realm('example');
+        $realm->credential->authorization_required_response($c, $realm);
+    }
 
     # with ACL plugin
     __PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate });
@@ -444,6 +467,10 @@ C<get_digest_authorization_nonce> methods as shown below.
 
 Simple constructor.
 
+=item init
+
+Validates that $config is ok.
+
 =item authenticate $c, $realm, \%auth_info
 
 Tries to authenticate the user, and if that fails calls
@@ -454,14 +481,50 @@ Looks inside C<< $c->request->headers >> and processes the digest and basic
 
 This will only try the methods set in the configuration. First digest, then basic.
 
-This method just passes the options through untouched. See the next two methods for what \%auth_info can contain.
+The %auth_info hash can contain a number of keys which control the authentication behaviour:
+
+=over
+
+=item realm
+
+Sets the HTTP authentication realm presented to the client. Note this does not alter the
+Catalyst::Authentication::Realm object used for the authentication.
+
+=item domain
+
+Array reference to domains used to build the authorization headers.
+
+This list of domains defines the protection space. If a domain URI is an 
+absolute path (starts with /), it is relative to the root URL of the server being accessed. 
+An absolute URI in this list may refer to a different server than the one being accessed. 
+
+The client will use this list to determine the set of URIs for which the same authentication 
+information may be sent. 
+
+If this is omitted or its value is empty, the client will assume that the
+protection space consists of all URIs on the responding server.
+
+Therefore, if your application is not hosted at the root of this domain, and you want to
+prevent the authentication credentials for this application being sent to any other applications.
+then you should use the I<use_uri_for> configuration option, and pass a domain of I</>.
+
+=back
 
 =item authenticate_basic $c, $realm, \%auth_info
 
+Performs HTTP basic authentication.
+
 =item authenticate_digest $c, $realm, \%auth_info
 
-Try to authenticate one of the methods without checking if the method is
-allowed in the configuration.
+Performs HTTP digest authentication. Note that the password_type B<must> by I<clear> for
+digest authentication to succeed, and you must have L<Catalyst::Plugin::Session> in
+your application as digest authentication needs to store persistent data.
+
+Note - if you do not want to store your user passwords as clear text, then it is possible
+to store instead the MD5 digest in hex of the string '$username:$realm:$password' 
+
+Takes an additional parameter of I<algorithm>, the possible values of which are 'MD5' (the default)
+and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617.
 
 =item authorization_required_response $c, $realm, \%auth_info
 
@@ -490,7 +553,7 @@ All configuration is stored in C<< YourApp->config(authentication => { yourrealm
 
 This should be a hash, and it can contain the following entries:
 
-=over 4
+=over
 
 =item type
 
@@ -503,6 +566,27 @@ not the "manual" methods.
 
 Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated.
 
+=item password_type
+
+The type of password returned by the user object. Same usage as in 
+L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/password_type>
+
+=item password_field
+
+The name of accessor used to retrieve the value of the password field from the user object. Same usage as in 
+L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/password_field>
+
+=item username_field
+
+The field name that the user's username is mapped into when finding the user from the realm. Defaults to 'username'.
+
+=item use_uri_for
+
+If this configuration key has a true value, then the domain(s) for the authorization header will be
+run through $c->uri_for(). Use this configuration option if your application is not running at the root
+of your domain, and you want to ensure that authentication credentials from your application are not shared with
+other applications on the same server.
+
 =back
 
 =head1 RESTRICTIONS