X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FPlugin%2FAuthentication%2FCredential%2FPassword.pm;h=cfbaf3bd89cefbb2f62b2ef34f124235b48fbbc7;hb=290e5a7efa221cbd3f34a9a72206a6f2d12cc09f;hp=081dca759e17633c4f63d4d313724959f7cdac6f;hpb=c5fbff806cf01bf3ba3a4cab869be2321f6d3c52;p=catagits%2FCatalyst-Plugin-Authentication.git diff --git a/lib/Catalyst/Plugin/Authentication/Credential/Password.pm b/lib/Catalyst/Plugin/Authentication/Credential/Password.pm index 081dca7..cfbaf3b 100644 --- a/lib/Catalyst/Plugin/Authentication/Credential/Password.pm +++ b/lib/Catalyst/Plugin/Authentication/Credential/Password.pm @@ -1,90 +1,9 @@ -#!/usr/bin/perl - package Catalyst::Plugin::Authentication::Credential::Password; -use base qw/Class::Accessor::Fast/; use strict; use warnings; -use Scalar::Util (); -use Catalyst::Exception (); -use Digest (); - -BEGIN { - __PACKAGE__->mk_accessors(qw/_config/); -} - -sub new { - my ($class, $config, $app) = @_; - - my $self = { _config => $config }; - bless $self, $class; - - $self->_config->{'password_field'} ||= 'password'; - $self->_config->{'password_type'} ||= 'clear'; - $self->_config->{'password_hash_type'} ||= 'SHA-1'; - - my $passwordtype = $self->_config->{'password_type'}; - if (!grep /$passwordtype/, ('clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) { - Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'}); - } - return $self; -} - -sub authenticate { - my ( $self, $c, $authstore, $authinfo ) = @_; - - ## because passwords may be in a hashed format, we have to make sure that we remove the - ## password_field before we pass it to the user routine, as some auth modules use - ## all data passed to them to find a matching user... - my $userfindauthinfo = {%{$authinfo}}; - delete($userfindauthinfo->{$self->_config->{'password_field'}}); - - my $user_obj = $authstore->find_user($userfindauthinfo, $c); - if (ref($user_obj)) { - if ($self->check_password($user_obj, $authinfo)) { - return $user_obj; - } - } else { - $c->log->debug("Unable to locate user matching user info provided"); - return; - } -} - -sub check_password { - my ( $self, $user, $authinfo ) = @_; - - if ($self->_config->{'password_type'} eq 'self_check') { - return $user->check_password($authinfo->{$self->_config->{'password_field'}}); - } else { - my $password = $authinfo->{$self->_config->{'password_field'}}; - my $storedpassword = $user->get($self->_config->{'password_field'}); - - if ($self->_config->{password_type} eq 'clear') { - return $password eq $storedpassword; - } elsif ($self->_config->{'password_type'} eq 'crypted') { - return $storedpassword eq crypt( $password, $storedpassword ); - } elsif ($self->_config->{'password_type'} eq 'salted_hash') { - require Crypt::SaltedHash; - my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0; - return Crypt::SaltedHash->validate( $storedpassword, $password, - $salt_len ); - } elsif ($self->_config->{'password_type'} eq 'hashed') { - - my $d = Digest->new( $self->_config->{'password_hash_type'} ); - $d->add( $self->_config->{'password_pre_salt'} || '' ); - $d->add($password); - $d->add( $self->_config->{'password_post_salt'} || '' ); - - my $computed = $d->clone()->digest; - my $b64computed = $d->clone()->b64digest; - return ( ( $computed eq $storedpassword ) - || ( unpack( "H*", $computed ) eq $storedpassword ) - || ( $b64computed eq $storedpassword) - || ( $b64computed.'=' eq $storedpassword) ); - } - } -} +use Catalyst::Authentication::Credential::Password (); ## BACKWARDS COMPATIBILITY - all subs below here are deprecated ## They are here for compatibility with older modules that use / inherit from C::P::A::Password @@ -122,7 +41,7 @@ sub login { } unless ( Scalar::Util::blessed($user) - and $user->isa("Catalyst::Plugin::Authentication::User") ) + and $user->isa("Catalyst::Authentication::User") ) { if ( my $user_obj = $c->get_user( $user, $password, @rest ) ) { $user = $user_obj; @@ -206,164 +125,15 @@ __END__ =head1 NAME -Catalyst::Plugin::Authentication::Credential::Password - Authenticate a user -with a password. - -=head1 SYNOPSIS - - use Catalyst qw/ - Authentication - /; - - package MyApp::Controller::Auth; - - sub login : Local { - my ( $self, $c ) = @_; - - $c->authenticate( { username => $c->req->param('username'), - password => $c->req->param('password') }); - } +Catalyst::Plugin::Authentication::Credential::Password - Compatibility shim =head1 DESCRIPTION -This authentication credential checker takes authentication information -(most often a username) and a password, and attempts to validate the password -provided against the user retrieved from the store. - -=head1 CONFIGURATION - - # example - __PACKAGE__->config->{authentication} = - { - default_realm => 'members', - realms => { - members => { - - credential => { - class => 'Password', - password_field => 'password', - password_type => 'hashed', - password_hash_type => 'SHA-1' - }, - ... - - -The password module is capable of working with several different password -encryption/hashing algorithms. The one the module uses is determined by the -credential configuration. - -Those who have used L prior to the 0.10 release -should note that the password field and type information is no longer part -of the store configuration and is now part of the Password credential configuration. - -=over 4 - -=item class - -The classname used for Credential. This is part of -L and is the method by which -Catalyst::Plugin::Authentication::Credential::Password is loaded as the -credential validator. For this module to be used, this must be set to -'Password'. - -=item password_field - -The field in the user object that contains the password. This will vary -depending on the storage class used, but is most likely something like -'password'. In fact, this is so common that if this is left out of the config, -it defaults to 'password'. This field is obtained from the user object using -the get() method. Essentially: $user->get('passwordfieldname'); - -=item password_type - -This sets the password type. Often passwords are stored in crypted or hashed -formats. In order for the password module to verify the plaintext password -passed in, it must be told what format the password will be in when it is retreived -from the user object. The supported options are: - -=over 8 - -=item clear - -The password in user is in clear text and will be compared directly. - -=item self_check - -This option indicates that the password should be passed to the check_password() -routine on the user object returned from the store. - -=item crypted - -The password in user is in UNIX crypt hashed format. - -=item salted_hash - -The password in user is in salted hash format, and will be validated -using L. If this password type is selected, you should -also provide the B config element to define the salt length. - -=item hashed - -If the user object supports hashed passwords, they will be used in conjunction -with L. The following config elements affect the hashed configuration: - -=over 8 - -=item password_hash_type - -The hash type used, passed directly to L. - -=item password_pre_salt - -Any pre-salt data to be passed to L before processing the password. - -=item password_post_salt - -Any post-salt data to be passed to L after processing the password. - -=back - -=back - -=back - -=head1 USAGE - -The Password credential module is very simple to use. Once configured as -indicated above, authenticating using this module is simply a matter of -calling $c->authenticate() with an authinfo hashref that includes the -B element. The password element should contain the password supplied -by the user to be authenticated, in clear text. The other information supplied -in the auth hash is ignored by the Password module, and simply passed to the -auth store to be used to retrieve the user. An example call follows: - - if ($c->authenticate({ username => $username, - password => $password} )) { - # authentication successful - } else { - # authentication failed - } - -=head1 METHODS - -There are no publicly exported routines in the Password module (or indeed in -most credential modules.) However, below is a description of the routines -required by L for all credential modules. - -=over 4 - -=item new ( $config, $app ) +THIS IS A COMPATIBILITY SHIM. It allows old configurations of Catalyst +Authentication to work without code changes. -Instantiate a new Password object using the configuration hash provided in -$config. A reference to the application is provided as the second argument. -Note to credential module authors: new() is called during the application's -plugin setup phase, which is before the application specific controllers are -loaded. The practical upshot of this is that things like $c->model(...) will -not function as expected. +B -=item authenticate ( $authinfo, $c ) +Please see L for more information. -Try to log a user in, receives a hashref containing authentication information -as the first argument, and the current context as the second. -=back