X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FManual%2FTutorial%2F05_Authentication.pod;h=304a128ddb2e2d31c78160724bd2758621840d1f;hb=436f45daabf1972798918c6a706ac2894972a395;hp=c94964747687b6de2adc469ca30a12c8a7d22b31;hpb=3e1a22407659838b0de4e530339dc25ce643c5d5;p=catagits%2FCatalyst-Manual.git diff --git a/lib/Catalyst/Manual/Tutorial/05_Authentication.pod b/lib/Catalyst/Manual/Tutorial/05_Authentication.pod index c949647..304a128 100644 --- a/lib/Catalyst/Manual/Tutorial/05_Authentication.pod +++ b/lib/Catalyst/Manual/Tutorial/05_Authentication.pod @@ -99,7 +99,7 @@ C in your editor and insert: role TEXT ); CREATE TABLE user_role ( - user_id INTEGER REFERENCES user(id) ON DELETE CASCADE ON UPDATE CASCADE, + user_id INTEGER REFERENCES users(id) ON DELETE CASCADE ON UPDATE CASCADE, role_id INTEGER REFERENCES role(id) ON DELETE CASCADE ON UPDATE CASCADE, PRIMARY KEY (user_id, role_id) ); @@ -229,7 +229,7 @@ C is new): Authentication Session - Session::Store::FastMmap + Session::Store::File Session::State::Cookie /; @@ -254,16 +254,15 @@ the Makefile.PL file something like this: requires 'Catalyst::Plugin::Authentication'; requires 'Catalyst::Plugin::Session'; - requires 'Catalyst::Plugin::Session::Store::FastMmap'; + requires 'Catalyst::Plugin::Session::Store::File'; requires 'Catalyst::Plugin::Session::State::Cookie'; Note that there are several options for L. -L or -L is +L is generally a good choice if you are on Unix. If you are running on -Windows, try -L. Consult +Windows +L is fine. Consult L and its subclasses for additional information and options (for example to use a database- backed session store). @@ -621,61 +620,55 @@ between the browser and your application, consider using SSL/TLS, made easy with the Catalyst plugin Catalyst::Plugin:RequireSSL. -=head2 Re-Run the DBIC::Schema Model Helper to Include DBIx::Class::EncodedColumn +=head2 Re-Run the DBIC::Schema Model Helper to Include DBIx::Class::PassphraseColumn Next, we can re-run the model helper to have it include -L in all of the -Result Classes it generates for us. Simply use the same command we -saw in Chapters 3 and 4, but add C<,EncodedColumn> to the C -argument: +L in all of the Result Classes it generates for +us. Simply use the same command we saw in Chapters 3 and 4, but add +C<,PassphraseColumn> to the C argument: $ script/myapp_create.pl model DB DBIC::Schema MyApp::Schema \ - create=static components=TimeStamp,EncodedColumn dbi:SQLite:myapp.db \ + create=static components=TimeStamp,PassphraseColumn dbi:SQLite:myapp.db \ on_connect_do="PRAGMA foreign_keys = ON" If you then open one of the Result Classes, you will see that it -includes EncodedColumn in the C line. Take a look at +includes PassphraseColumn in the C line. Take a look at C since that's the main class where we want to use hashed and salted passwords: - __PACKAGE__->load_components("InflateColumn::DateTime", "TimeStamp", "EncodedColumn"); + __PACKAGE__->load_components("InflateColumn::DateTime", "TimeStamp", "PassphraseColumn"); -=head2 Modify the "password" Column to Use EncodedColumn +=head2 Modify the "password" Column to Use PassphraseColumn Open the file C and enter the following text below the "# DO NOT MODIFY THIS OR ANYTHING ABOVE!" line but above the closing "1;": - # Have the 'password' column use a SHA-1 hash and 10-character salt - # with hex encoding; Generate the 'check_password" method + # Have the 'password' column use a SHA-1 hash and 20-byte salt + # with RFC 2307 encoding; Generate the 'check_password" method __PACKAGE__->add_columns( 'password' => { - encode_column => 1, - encode_class => 'Digest', - encode_args => {salt_length => 10}, - encode_check_method => 'check_password', + passphrase => 'rfc2307', + passphrase_class => 'SaltedDigest', + passphrase_args => { + algorithm => 'SHA-1', + salt_random => 20. + }, + passphrase_check_method => 'check_password', }, ); -This redefines the automatically generated definition for the password -fields at the top of the Result Class file to now use EncodedColumn -logic (C is set to 1). C can be set to -either C to use -L, -or C for -L. -C is then used to customize the type of Digest you -selected. Here we only specified the size of the salt to use, but -we could have also modified the hashing algorithm ('SHA-256' is -the default) and the format to use ('base64' is the default, but -'hex' and 'binary' are other options). To use these, you could -change the C to something like: - - encode_args => {algorithm => 'SHA-1', - format => 'hex', - salt_length => 10}, - +This redefines the automatically generated definition for the password fields at +the top of the Result Class file to now use PassphraseColumn logic, storing +passwords in RFC 2307 format (C is set to C). +C can be set to the name of any C +class, such as C to use L, or +C to use L. +C is then used to customize the passphrase class you +selected. Here we specified the digest algorithm to use as C and the size +of the salt to use, but we could have also specified any other option the +selected passphrase class supports. =head2 Load Hashed Passwords in the Database @@ -699,7 +692,7 @@ C in your editor and enter the following text: $user->update; } -EncodedColumn lets us simply call C<$user->check_password($password)> +PassphraseColumn lets us simply call C<$user->check_password($password)> to see if the user has supplied the correct password, or, as we show above, call C<$user->update($new_password)> to update the hashed password stored for this user. @@ -717,18 +710,18 @@ The DBIC_TRACE output should show that the update worked: SELECT me.id, me.username, me.password, me.email_address, me.first_name, me.last_name, me.active FROM users me: UPDATE users SET password = ? WHERE ( id = ? ): - 'oXiyAcGOjowz7ISUhpIm1IrS8AxSZ9r4jNjpX9VnVeQmN6GRtRKTz', '1' + '{SSHA}esgz64CpHMo8pMfgIIszP13ft23z/zio04aCwNdm0wc6MDeloMUH4g==', '1' UPDATE users SET password = ? WHERE ( id = ? ): - 'PmyEPrkB8EGwvaF/DvJm7LIfxoZARjv8ygFIR7pc1gEA1OfwHGNzs', '2' + '{SSHA}FpGhpCJus+Ea9ne4ww8404HH+hJKW/fW+bAv1v6FuRUy2G7I2aoTRQ==', '2' UPDATE users SET password = ? WHERE ( id = ? ): - 'h7CS1Fm9UCs4hjcbu2im0HumaHCJUq4Uriac+SQgdUMUfFSoOrz3c', '3' + '{SSHA}ZyGlpiHls8qFBSbHr3r5t/iqcZE602XLMbkSVRRNl6rF8imv1abQVg==', '3' But we can further confirm our actions by dumping the users table: $ sqlite3 myapp.db "select * from users" - 1|test01|38d3974fa9e9263099f7bc2574284b2f55473a9bM=fwpX2NR8|t01@na.com|Joe|Blow|1 - 2|test02|6ed8586587e53e0d7509b1cfed5df08feadc68cbMJlnPyPt0I|t02@na.com|Jane|Doe|1 - 3|test03|af929a151340c6aed4d54d7e2651795d1ad2e2f7UW8dHoGv9z|t03@na.com|No|Go|0 + 1|test01|{SSHA}esgz64CpHMo8pMfgIIszP13ft23z/zio04aCwNdm0wc6MDeloMUH4g==|t01@na.com|Joe|Blow|1 + 2|test02|{SSHA}FpGhpCJus+Ea9ne4ww8404HH+hJKW/fW+bAv1v6FuRUy2G7I2aoTRQ==|t02@na.com|Jane|Doe|1 + 3|test03|{SSHA}ZyGlpiHls8qFBSbHr3r5t/iqcZE602XLMbkSVRRNl6rF8imv1abQVg==|t03@na.com|No|Go|0 As you can see, the passwords are much harder to steal from the database (not only are the hashes stored, but every hash is different