X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FCredential%2FOpenID.pm;h=6eb4d72820dae9648212032d6ead0a9c934b3730;hb=0638ecfb29f35dcb62c095307ad5966f299fa36e;hp=477b9e75c71047788bc4747458af034530b822dd;hpb=f29585f9540eae594f78959a0fec474ef9b18cd6;p=catagits%2FCatalyst-Authentication-Credential-OpenID.git

diff --git a/lib/Catalyst/Authentication/Credential/OpenID.pm b/lib/Catalyst/Authentication/Credential/OpenID.pm
index 477b9e7..6eb4d72 100644
--- a/lib/Catalyst/Authentication/Credential/OpenID.pm
+++ b/lib/Catalyst/Authentication/Credential/OpenID.pm
@@ -1,59 +1,63 @@
 package Catalyst::Authentication::Credential::OpenID;
 use strict;
 use warnings;
-no warnings "uninitialized";
-use parent "Class::Accessor::Fast";
+use base "Class::Accessor::Fast";
 
-BEGIN {
-    __PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
-}
+__PACKAGE__->mk_accessors(qw/
+    realm debug secret
+    openid_field
+    consumer_secret
+    ua_class
+    ua_args
+    extension_args
+    errors_are_fatal
+    extensions
+/);
 
-our $VERSION = "0.04";
+our $VERSION = "0.16";
 
 use Net::OpenID::Consumer;
-use UNIVERSAL::require;
 use Catalyst::Exception ();
 
-sub new : method {
+sub new {
     my ( $class, $config, $c, $realm ) = @_;
-    my $self = { _config => { %{ $config },
-                              %{ $realm->{config} }
-                          }
+    my $self = {
+                    %{ $config },
+                    %{ $realm->{config} }
                  };
     bless $self, $class;
 
     # 2.0 spec says "SHOULD" be named "openid_identifier."
-    $self->_config->{openid_field} ||= "openid_identifier";
-
-    $self->debug( $self->_config->{debug} );
+    $self->{openid_field} ||= "openid_identifier";
 
-    my $secret = $self->_config->{consumer_secret} ||= join("+",
+    my $secret = $self->{consumer_secret} ||= join("+",
                                                             __PACKAGE__,
                                                             $VERSION,
                                                             sort keys %{ $c->config }
                                                             );
 
     $secret = substr($secret,0,255) if length $secret > 255;
-    $self->secret( $secret );
-    $self->_config->{ua_class} ||= "LWPx::ParanoidAgent";
+    $self->secret($secret);
+    # If user has no preference we prefer L::PA b/c it can prevent DoS attacks.
+    my $ua_class = $self->{ua_class} ||= eval "use LWPx::ParanoidAgent" ?
+        "LWPx::ParanoidAgent" : "LWP::UserAgent";
 
-    eval {
-        $self->_config->{ua_class}->require;
-    }
-    or Catalyst::Exception->throw("Could not 'require' user agent class " .
-                                  $self->_config->{ua_class});
+    my $agent_class = $self->ua_class;
+    eval "require $agent_class"
+        or Catalyst::Exception->throw("Could not 'require' user agent class " .
+                                      $self->ua_class);
 
     $c->log->debug("Setting consumer secret: " . $secret) if $self->debug;
 
     return $self;
 }
 
-sub authenticate : method {
+sub authenticate {
     my ( $self, $c, $realm, $authinfo ) = @_;
 
     $c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;
 
-    my $field = $self->{_config}->{openid_field};
+    my $field = $self->openid_field;
 
     my $claimed_uri = $authinfo->{ $field };
 
@@ -61,18 +65,43 @@ sub authenticate : method {
     $claimed_uri ||= $c->req->method eq 'GET' ? 
         $c->req->query_params->{ $field } : $c->req->body_params->{ $field };
 
+
     my $csr = Net::OpenID::Consumer->new(
-        ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} || {}}),
+        ua => $self->ua_class->new(%{$self->ua_args || {}}),
         args => $c->req->params,
         consumer_secret => $self->secret,
     );
 
+    if ( $self->extension_args and $self->debug )
+    {
+        # FIXME - Only on startup, remove extension_args accessor
+        $c->log->warn("The configuration key 'extension_args' is deprecated; use 'extensions'");
+    }
+
+    my @extensions = $self->extensions ?
+        @{ $self->extensions } : $self->extension_args ?
+        @{ $self->extension_args } : ();
+
     if ( $claimed_uri )
     {
         my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...
 
-        my $identity = $csr->claimed_identity($claimed_uri)
-            or Catalyst::Exception->throw($csr->err);
+        my $identity = $csr->claimed_identity($claimed_uri);
+        unless ( $identity )
+        {
+            if ( $self->errors_are_fatal )
+            {
+                Catalyst::Exception->throw($csr->err);
+            }
+            else
+            {
+                $c->log->error($csr->err . " -- $claimed_uri");
+                $c->detach();
+            }
+        }
+
+        $identity->set_extension_args(@extensions)
+            if @extensions;
 
         my $check_url = $identity->check_url(
             return_to  => $current . '?openid-check=1',
@@ -80,7 +109,7 @@ sub authenticate : method {
             delayed_return => 1,
         );
         $c->res->redirect($check_url);
-        return;
+        $c->detach();
     }
     elsif ( $c->req->params->{'openid-check'} )
     {
@@ -98,6 +127,12 @@ sub authenticate : method {
             # This is where we ought to build an OpenID user and verify against the spec.
             my $user = +{ map { $_ => scalar $identity->$_ }
                 qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };
+            # Dude, I did not design the array as hash spec. Don't curse me [apv].
+            my %flat = @extensions;
+            for my $key ( keys %flat )
+            {
+                $user->{extensions}->{$key} = $identity->signed_extension_fields($key);
+            }
 
             my $user_obj = $realm->find_user($user, $c);
 
@@ -107,14 +142,16 @@ sub authenticate : method {
             }
             else
             {
-                $c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $c->debug;
+                $c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $self->debug;
                 return;
             }
         }
         else
         {
-            Catalyst::Exception->throw("Error validating identity: " .
-                                       $csr->err);
+            $self->errors_are_fatal ?
+                Catalyst::Exception->throw("Error validating identity: " . $csr->err)
+                      :
+                $c->log->error( $csr->err);
         }
     }
     return;
@@ -126,15 +163,27 @@ __END__
 
 =head1 NAME
 
-Catalyst::Authentication::Credential::OpenID - OpenID credential for L<Catalyst::Plugin::Authentication> framework.
+Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Plugin::Authentication framework.
 
 =head1 VERSION
 
-0.04
+0.16
+
+=head1 BACKWARDS COMPATIBILITY CHANGES
+
+=head2 EXTENSION_ARGS v EXTENSIONS
+
+B<NB>: The extensions were previously configured under the key C<extension_args>. They are now configured under C<extensions>. This prevents the need for double configuration but it breaks extensions in your application if you do not change the name. The old version is supported for now but may be phased out at any time.
+
+As previously noted, L</EXTENSIONS TO OPENID>, I have not tested the extensions. I would be grateful for any feedback or, better, tests.
+
+=head2 FATALS
+
+The problems encountered by failed OpenID operations have always been fatals in the past. This is unexpected behavior for most users as it differs from other credentials. Authentication errors here are no longer fatal. Debug/error output is improved to offset the loss of information. If for some reason you would prefer the legacy/fatal behavior, set the configuration variable C<errors_are_fatal> to a true value.
 
 =head1 SYNOPSIS
 
-In MyApp.pm.
+In MyApp.pm-
 
  use Catalyst qw/
     Authentication
@@ -143,7 +192,7 @@ In MyApp.pm.
     Session::State::Cookie
  /;
 
-Somewhere in myapp.conf.
+Somewhere in myapp.conf-
 
  <Plugin::Authentication>
      default_realm   openid
@@ -151,13 +200,13 @@ Somewhere in myapp.conf.
          <openid>
              <credential>
                  class   OpenID
+                 ua_class   LWP::UserAgent
              </credential>
-             ua_class   LWPx::ParanoidAgent
          </openid>
      </realms>
  </Plugin::Authentication>
 
-Or in your myapp.yml if you're using L<YAML> instead.
+Or in your myapp.yml if you're using L<YAML> instead-
 
  Plugin::Authentication:
    default_realm: openid
@@ -165,9 +214,9 @@ Or in your myapp.yml if you're using L<YAML> instead.
      openid:
        credential:
          class: OpenID
-       ua_class: LWPx::ParanoidAgent
+         ua_class: LWP::UserAgent
 
-In a controller, perhaps C<Root::openid>.
+In a controller, perhaps C<Root::openid>-
 
  sub openid : Local {
       my($self, $c) = @_;
@@ -183,7 +232,7 @@ In a controller, perhaps C<Root::openid>.
       }
  }
 
-And a L<Template> to match in C<openid.tt>.
+And a L<Template> to match in C<openid.tt>-
 
  <form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
  <input type="text" name="openid_identifier" class="openid" />
@@ -193,10 +242,10 @@ And a L<Template> to match in C<openid.tt>.
 =head1 DESCRIPTION
 
 This is the B<third> OpenID related authentication piece for
-L<Catalyst>. The first -- L<Catalyst::Plugin::Authentication::OpenID>
-by Benjamin Trott -- was deprecated by the second --
+L<Catalyst>. The first E<mdash> L<Catalyst::Plugin::Authentication::OpenID>
+by Benjamin Trott E<mdash> was deprecated by the second E<mdash>
 L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
-Miyagawa -- and this is an attempt to deprecate both by conforming to
+Miyagawa E<mdash> and this is an attempt to deprecate both by conforming to
 the newish, at the time of this module's inception, realm-based
 authentication in L<Catalyst::Plugin::Authentication>.
 
@@ -218,7 +267,7 @@ This module functions quite differently internally from the others.
 See L<Catalyst::Plugin::Authentication::Internals> for more about this
 implementation.
 
-=head1 METHOD
+=head1 METHODS
 
 =over 4
 
@@ -310,21 +359,29 @@ clear text passwords and one called "openid" which uses... uh, OpenID.
                           }
               },
               openid => {
-                  consumer_secret => "Don't bother setting",
-                  ua_class => "LWPx::ParanoidAgent",
-                  ua_args => {
-                      whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
-                  },
                   credential => {
                       class => "OpenID",
                       store => {
                           class => "OpenID",
                       },
+                      consumer_secret => "Don't bother setting",
+                      ua_class => "LWP::UserAgent",
+                      # whitelist is only relevant for LWPx::ParanoidAgent
+                      ua_args => {
+                          whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
+                      },
+                      extensions => [
+                          'http://openid.net/extensions/sreg/1.1',
+                          {
+                           required => 'email',
+                           optional => 'fullname,nickname,timezone',
+                          },
+                      ],
                   },
               },
           },
-      },
-      );
+      }
+    );
 
 This is the same configuration in the default L<Catalyst> configuration format from L<Config::General>.
 
@@ -348,17 +405,22 @@ This is the same configuration in the default L<Catalyst> configuration format f
              </credential>
          </members>
          <openid>
-             <ua_args>
-                 whitelisted_hosts   127.0.0.1
-                 whitelisted_hosts   localhost
-             </ua_args>
-             consumer_secret   Don't bother setting
-             ua_class   LWPx::ParanoidAgent
              <credential>
                  <store>
                      class   OpenID
                  </store>
                  class   OpenID
+                 <ua_args>
+                     whitelisted_hosts   127.0.0.1
+                     whitelisted_hosts   localhost
+                 </ua_args>
+                 consumer_secret   Don't bother setting
+                 ua_class   LWP::UserAgent
+                 <extensions>
+                     http://openid.net/extensions/sreg/1.1
+                     required   email
+                     optional   fullname,nickname,timezone
+                 </extensions>
              </credential>
          </openid>
      </realms>
@@ -385,51 +447,54 @@ And now, the same configuration in L<YAML>. B<NB>: L<YAML> is whitespace sensiti
          class: OpenID
          store:
            class: OpenID
-       consumer_secret: Don't bother setting
-       ua_class: LWPx::ParanoidAgent
-       ua_args:
-         whitelisted_hosts:
-           - 127.0.0.1
-           - localhost
+         consumer_secret: Don't bother setting
+         ua_class: LWP::UserAgent
+         ua_args:
+           # whitelist is only relevant for LWPx::ParanoidAgent
+           whitelisted_hosts:
+             - 127.0.0.1
+             - localhost
+         extensions:
+             - http://openid.net/extensions/sreg/1.1
+             - required: email
+               optional: fullname,nickname,timezone
 
-B<NB>: There is no OpenID store yet. Trying for next release.
+B<NB>: There is no OpenID store yet.
 
-=head2 MORE ON CONFIGURATION
+=head2 EXTENSIONS TO OPENID
+
+The Simple Registration--L<http://openid.net/extensions/sreg/1.1>--(SREG) extension to OpenID is supported in the L<Net::OpenID> family now. Experimental support for it is included here as of v0.12. SREG is the only supported extension in OpenID 1.1. It's experimental in the sense it's a new interface and barely tested. Support for OpenID extensions is here to stay.
 
-These are set in your realm. See above.
+=head2 MORE ON CONFIGURATION
 
 =over 4
 
 =item ua_args and ua_class
 
-L<LWPx::ParanoidAgent> is the default agent -- C<ua_class>. You don't
-have to set it. I recommend that you do B<not> override it. You can
-with any well behaved L<LWP::UserAgent>. You probably should not.
-L<LWPx::ParanoidAgent> buys you many defenses and extra security
-checks. When you allow your application users freedom to initiate
-external requests, you open a big avenue for DoS (denial of service)
-attacks. L<LWPx::ParanoidAgent> defends against this.
-L<LWP::UserAgent> and any regular subclass of it will not.
+L<LWPx::ParanoidAgent> is the default agent E<mdash> C<ua_class> E<mdash> if it's available, L<LWP::UserAgent> if not. You don't have to set
+it. I recommend that you do B<not> override it. You can with any well behaved L<LWP::UserAgent>. You probably should not.
+L<LWPx::ParanoidAgent> buys you many defenses and extra security checks. When you allow your application users freedom to initiate external
+requests, you open an avenue for DoS (denial of service) attacks. L<LWPx::ParanoidAgent> defends against this. L<LWP::UserAgent> and any
+regular subclass of it will not.
 
 =item consumer_secret
 
-The underlying L<Net::OpenID::Consumer> object is seeded with a
-secret. If it's important to you to set your own, you can. The default
-uses this package name + its version + the sorted configuration keys
-of your Catalyst application (chopped at 255 characters if it's
-longer). This should generally be superior to any fixed string.
+The underlying L<Net::OpenID::Consumer> object is seeded with a secret. If it's important to you to set your own, you can. The default uses
+this package name + its version + the sorted configuration keys of your Catalyst application (chopped at 255 characters if it's longer).
+This should generally be superior to any fixed string.
 
 =back
 
 =head1 TODO
 
-There are some interesting implications with this sort of setup. Does
-a user aggregate realms or can a user be signed in under more than one
-realm? The documents could contain a recipe of the self-answering
-OpenID end-point that is in the tests.
+Option to suppress fatals.
+
+Support more of the new methods in the L<Net::OpenID> kit.
 
-Debug statements need to be both expanded and limited via realm
-configuration.
+There are some interesting implications with this sort of setup. Does a user aggregate realms or can a user be signed in under more than one
+realm? The documents could contain a recipe of the self-answering OpenID end-point that is in the tests.
+
+Debug statements need to be both expanded and limited via realm configuration.
 
 Better diagnostics in errors. Debug info at all consumer calls.
 
@@ -437,38 +502,29 @@ Roles from provider domains? Mapped? Direct? A generic "openid" auto_role?
 
 =head1 THANKS
 
-To Benjamin Trott (L<Catalyst::Plugin::Authentication::OpenID>), Tatsuhiko Miyagawa (L<Catalyst::Plugin::Authentication::Credential::OpenID>), and Brad Fitzpatrick for the great OpenID stuff and to Jay Kuri and everyone else who has made Catalyst such a wonderful framework.
+To Benjamin Trott (L<Catalyst::Plugin::Authentication::OpenID>), Tatsuhiko Miyagawa (L<Catalyst::Plugin::Authentication::Credential::OpenID>), Brad Fitzpatrick for the great OpenID stuff, Martin Atkins for picking up the code to handle OpenID 2.0, and Jay Kuri and everyone else who has made Catalyst such a wonderful framework.
+
+Menno Blom provided a bug fix and the hook to use OpenID extensions.
 
 =head1 LICENSE AND COPYRIGHT
 
-Copyright (c) 2008, Ashley Pond V C<< <ashley@cpan.org> >>. Some of
-Tatsuhiko Miyagawa's work is reused here.
+Copyright (c) 2008-2009, Ashley Pond V C<< <ashley@cpan.org> >>. Some of Tatsuhiko Miyagawa's work is reused here.
 
-This module is free software; you can redistribute it and modify it
-under the same terms as Perl itself. See L<perlartistic>.
+This module is free software; you can redistribute it and modify it under the same terms as Perl itself. See L<perlartistic>.
 
 =head1 DISCLAIMER OF WARRANTY
 
-Because this software is licensed free of charge, there is no warranty
-for the software, to the extent permitted by applicable law. Except when
-otherwise stated in writing the copyright holders and other parties
-provide the software "as is" without warranty of any kind, either
-expressed or implied, including, but not limited to, the implied
-warranties of merchantability and fitness for a particular purpose. The
-entire risk as to the quality and performance of the software is with
-you. Should the software prove defective, you assume the cost of all
+Because this software is licensed free of charge, there is no warranty for the software, to the extent permitted by applicable law. Except
+when otherwise stated in writing the copyright holders and other parties provide the software "as is" without warranty of any kind, either
+expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The
+entire risk as to the quality and performance of the software is with you. Should the software prove defective, you assume the cost of all
 necessary servicing, repair, or correction.
 
-In no event unless required by applicable law or agreed to in writing
-will any copyright holder, or any other party who may modify or
-redistribute the software as permitted by the above license, be
-liable to you for damages, including any general, special, incidental,
-or consequential damages arising out of the use or inability to use
-the software (including but not limited to loss of data or data being
-rendered inaccurate or losses sustained by you or third parties or a
-failure of the software to operate with any other software), even if
-such holder or other party has been advised of the possibility of
-such damages.
+In no event unless required by applicable law or agreed to in writing will any copyright holder, or any other party who may modify or
+redistribute the software as permitted by the above license, be liable to you for damages, including any general, special, incidental, or
+consequential damages arising out of the use or inability to use the software (including but not limited to loss of data or data being
+rendered inaccurate or losses sustained by you or third parties or a failure of the software to operate with any other software), even if
+such holder or other party has been advised of the possibility of such damages.
 
 =head1 SEE ALSO
 
@@ -476,14 +532,15 @@ such damages.
 
 =item OpenID
 
-L<Net::OpenID::Server>, L<Net::OpenID::VerifiedIdentity>,
-L<Net::OpenID::Consumer>, L<http://openid.net/>, and L<http://openid.net/developers/specs/>.
+L<Net::OpenID::Server>, L<Net::OpenID::VerifiedIdentity>, L<Net::OpenID::Consumer>, L<http://openid.net/>,
+L<http://openid.net/developers/specs/>, and L<http://openid.net/extensions/sreg/1.1>.
 
 =item Catalyst Authentication
 
-L<Catalyst>, L<Catalyst::Plugin::Authentication>, L<Catalyst::Manual::Tutorial::Authorization>, and L<Catalyst::Manual::Tutorial::Authentication>.
+L<Catalyst>, L<Catalyst::Plugin::Authentication>, L<Catalyst::Manual::Tutorial::Authorization>, and
+L<Catalyst::Manual::Tutorial::Authentication>.
 
-=item Catalyst Configuraiton
+=item Catalyst Configuration
 
 L<Catalyst::Plugin::ConfigLoader>, L<Config::General>, and L<YAML>.