{
$c->save_user_in_session($user, $realmname);
}
- $user->_set_auth_realm($realmname);
+ $user->auth_realm($realmname);
$c->NEXT::set_authenticated($user, $realmname);
}
return $c->_user(@_);
}
- if ( defined(my $user = $c->_user) ) {
- return $user;
+ if ( defined($c->_user) ) {
+ return $c->_user;
} else {
return $c->auth_restore_user;
}
return defined($c->_user) || defined($c->_user_in_session);
}
+# works like user_exists - except only returns true if user
+# exists AND is in the realm requested.
+sub user_in_realm {
+ my ($c, $realmname) = @_;
+
+ if (defined($c->_user)) {
+ return ($c->_user->auth_realm eq $realmname);
+ } elsif (defined($c->_user_in_session)) {
+ return ($c->session->{__user_realm} eq $realmname);
+ } else {
+ return undef;
+ }
+}
sub save_user_in_session {
my ( $c, $user, $realmname ) = @_;
$c->session->{__user_realm} = $realmname;
- # we want to ask the backend for a user prepared for the session.
+ # we want to ask the store for a user prepared for the session.
# but older modules split this functionality between the user and the
- # backend. We try the store first. If not, we use the old method.
+ # store. We try the store first. If not, we use the old method.
my $realm = $c->get_auth_realm($realmname);
if ($realm->{'store'}->can('for_session')) {
$c->session->{__user} = $realm->{'store'}->for_session($c, $user);
return $c->session->{__user};
}
-sub _store_in_session {
- my $c = shift;
-
- # we don't need verification, it's only called if _user_in_session returned something useful
-
- return $c->session->{__user_store};
-}
-
sub auth_restore_user {
my ( $c, $frozen_user, $realmname ) = @_;
$c->_user( my $user = $realm->{'store'}->from_session( $c, $frozen_user ) );
# this sets the realm the user originated in.
- $user->_set_auth_realm($realmname);
+ $user->auth_realm($realmname);
return $user;
}
}
-
# set up realmname.
sub setup_auth_realm {
my ($app, $realmname, $config) = @_;
my $storeclass = $config->{'store'}{'class'};
## follow catalyst class naming - a + prefix means a fully qualified class, otherwise it's
- ## taken to mean C::P::A::Store::(specifiedclass)::Backend
+ ## taken to mean C::P::A::Store::(specifiedclass)
if ($storeclass !~ /^\+(.*)$/ ) {
- $storeclass = "Catalyst::Plugin::Authentication::Store::${storeclass}::Backend";
+ $storeclass = "Catalyst::Plugin::Authentication::Store::${storeclass}";
} else {
$storeclass = $1;
}
}
$app->auth_realms->{$realmname}{'store'} = $storeclass->new($config->{'store'}, $app);
- if ($credentialclass->can('new')) {
- $app->auth_realms->{$realmname}{'credential'} = $credentialclass->new($config->{'credential'}, $app);
- } else {
- # if the credential class is not actually a class - has no 'new' operator, we wrap it,
- # once again - to allow our code to be simple at runtime and allow non-OO packages to function.
- my $wrapperclass = 'Catalyst::Plugin::Authentication::Credential::Wrapper';
- Catalyst::Utils::ensure_class_loaded( $wrapperclass );
- $app->auth_realms->{$realmname}{'credential'} = $wrapperclass->new($config->{'credential'}, $app);
- }
+ $app->auth_realms->{$realmname}{'credential'} = $credentialclass->new($config->{'credential'}, $app);
+
}
sub auth_realms {
my $realm = $app->get_auth_realm($realmname);
+ ## note to self - make authenticate throw an exception if realm is invalid.
+
if ($realm && exists($realm->{'credential'})) {
my $user = $realm->{'credential'}->authenticate($app, $realm->{store}, $userinfo);
if (ref($user)) {
=head3 Storage Backends
-The authentication data also identifies a user, and the Storage Backend modules
+The authentication data also identifies a user, and the Storage backend modules
use this data to locate and return a standardized object-oriented
representation of a user.
credentials, the classname 'B<Password>', for example, is expanded to
Catalyst::Plugin::Authentication::Credential::B<Password>. For stores, the
classname 'B<storename>' is expanded to:
-Catalyst::Plugin::Authentication::Store::B<storename>::Backend.
+Catalyst::Plugin::Authentication::Store::B<storename>.
=back
Returns true if a user is logged in right now. The difference between
user_exists and user is that user_exists will return true if a user is logged
-in, even if it has not been retrieved from the storage backend. If you only
+in, even if it has not been yet retrieved from the storage backend. If you only
need to know if the user is logged in, depending on the storage mechanism this
can be much more efficient.
+=item user_in_realm ( $realm )
+
+Works like user_exists, except that it only returns true if a user is both
+logged in right now and is from the realm provided.
+
=item logout
Logs the user out, Deletes the currently logged in user from $c->user and the session.
deprecated. They remain only as a transition tool, for those sites which can
not yet be upgraded to use the new system due to local customizations or use
of Credential / Store modules that have not yet been updated to work with the
-new backend API.
+new API.
These routines should not be used in any application using realms
functionality or any of the methods described above. These are for reference
use Catalyst qw/Authentication Authentication::Store::Minimal/;
Sets the default store to
-L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.
+L<Catalyst::Plugin::Authentication::Store::Minimal>.
=item get_auth_store $name
#!/usr/bin/perl
package Catalyst::Plugin::Authentication::Credential::Password;
+use base qw/Class::Accessor::Fast/;
use strict;
use warnings;
use Catalyst::Exception ();
use Digest ();
+BEGIN {
+ __PACKAGE__->mk_accessors(qw/_config/);
+}
+
sub new {
my ($class, $config, $app) = @_;
- my $self = { %{$config} };
- $self->{'password_field'} ||= 'password';
- $self->{'password_type'} ||= 'clear';
- $self->{'password_hash_type'} ||= 'SHA-1';
+ my $self = { _config => $config };
+ bless $self, $class;
+
+ $self->_config->{'password_field'} ||= 'password';
+ $self->_config->{'password_type'} ||= 'clear';
+ $self->_config->{'password_hash_type'} ||= 'SHA-1';
- if (!grep /$$self{'password_type'}/, ('clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
- Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->{'password_type'});
+ my $passwordtype = $self->_config->{'password_type'};
+ if (!grep /$passwordtype/, ('clear', 'hashed', 'salted_hash', 'crypted', 'self_check')) {
+ Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported password type: " . $self->_config->{'password_type'});
}
-
- bless $self, $class;
+ return $self;
}
sub authenticate {
my ( $self, $c, $authstore, $authinfo ) = @_;
- my $user_obj = $authstore->find_user($authinfo, $c);
+ ## because passwords may be in a hashed format, we have to make sure that we remove the
+ ## password_field before we pass it to the user routine, as some auth modules use
+ ## all data passed to them to find a matching user...
+ my $userfindauthinfo = {%{$authinfo}};
+ delete($userfindauthinfo->{$self->_config->{'password_field'}});
+
+ my $user_obj = $authstore->find_user($userfindauthinfo, $c);
if (ref($user_obj)) {
if ($self->check_password($user_obj, $authinfo)) {
return $user_obj;
sub check_password {
my ( $self, $user, $authinfo ) = @_;
- if ($self->{'password_type'} eq 'self_check') {
- return $user->check_password($authinfo->{$self->{'password_field'}});
+ if ($self->_config->{'password_type'} eq 'self_check') {
+ return $user->check_password($authinfo->{$self->_config->{'password_field'}});
} else {
- my $password = $authinfo->{$self->{'password_field'}};
- my $storedpassword = $user->get($self->{'password_field'});
+ my $password = $authinfo->{$self->_config->{'password_field'}};
+ my $storedpassword = $user->get($self->_config->{'password_field'});
- if ($self->{password_type} eq 'clear') {
+ if ($self->_config->{password_type} eq 'clear') {
return $password eq $storedpassword;
- } elsif ($self->{'password_type'} eq 'crypted') {
+ } elsif ($self->_config->{'password_type'} eq 'crypted') {
return $storedpassword eq crypt( $password, $storedpassword );
- } elsif ($self->{'password_type'} eq 'salted_hash') {
+ } elsif ($self->_config->{'password_type'} eq 'salted_hash') {
require Crypt::SaltedHash;
- my $salt_len = $self->{'password_salt_len'} ? $self->{'password_salt_len'} : 0;
+ my $salt_len = $self->_config->{'password_salt_len'} ? $self->_config->{'password_salt_len'} : 0;
return Crypt::SaltedHash->validate( $storedpassword, $password,
$salt_len );
- } elsif ($self->{'password_type'} eq 'hashed') {
+ } elsif ($self->_config->{'password_type'} eq 'hashed') {
- my $d = Digest->new( $self->{'password_hash_type'} );
- $d->add( $self->{'password_pre_salt'} || '' );
+ my $d = Digest->new( $self->_config->{'password_hash_type'} );
+ $d->add( $self->_config->{'password_pre_salt'} || '' );
$d->add($password);
- $d->add( $self->{'password_post_salt'} || '' );
+ $d->add( $self->_config->{'password_post_salt'} || '' );
my $computed = $d->clone()->digest;
my $b64computed = $d->clone()->b64digest;
+++ /dev/null
-package Catalyst::Plugin::Authentication::Credential::Wrapper;
-
-use strict;
-use warnings;
-
-sub new {
- my ($myclass, $hash, $app) = @_;
-
-
- if (!exists($hash->{'class'})) {
- Carp::croak "Couldn't setup a wrapped Credential, no module specified";
- }
- my $data = {};
- my $wrappedclass = $hash->{'class'};
- my $authroutine = $hash->{'authroutine'} ||= 'authenticate';
- $data->{authroutine} = $wrappedclass->can($authroutine);
-
- if (!$data->{'authroutine'}) {
- Carp::croak "Couldn't set up a wrapped Credential, auth sub: $authroutine was not found";
- }
-
- bless $data, $myclass;
-}
-
-sub authenticate {
- my ($self, $c, $store, $authinfo) = @_;
-
- return $self->{'authroutine'}->($c, $store, $authinfo);
-}
-
-__PACKAGE__;
-
-__END__
\ No newline at end of file
verifying the credentials and retrieving users is delegated to separate
modules. These modules are called B<Credentials> and storage backends, or
B<Stores>, respectively. For authentication to function there must be at least
-one credential and one storage backend. A pairing of a store and a credential
+one credential and one store. A pairing of a store and a credential
is referred to as a B<Realm>. There may be any number of realms defined for an
application, though most applications will not require more than one or two.
=head1 WRITING A STORE
-There are two parts to an authentication store, the backend and the user object.
+There are two parts to an authentication store, the store object and the user object.
=head2 STORAGE BACKEND
-Writing a storage backend is actually quite simple. There are only five methods
+Writing a store is actually quite simple. There are only five methods
that must be implemented. They are:
new() - instantiates the store object
=head1 WRITING A CREDENTIAL
-There are two parts to an authentication store, the backend and the user object.
-
-=head2 STORAGE BACKEND
... Documentation fairy fell asleep here.
=head1 MULTIPLE BACKENDS
+B<NOTE> This is documentation for the old store system. This is not how the new realm-based stores
+work. Nobody has managed to rewrite this part of the documentation yet.
+See L<Catalyst::Plugin::Authentication::Internals> instead.
+
A key issue to understand about authentication stores is that there are
potentially many of them. Each one is registered into the application, and has
a name.
/;
the Store plugins typically only act at setup time. They rarely do more than
-check out the configuration, and register e.g. Store::Foo::Backend, and set it
+check out the configuration, and register e.g. Store::Foo, and set it
as the default store.
__PACKAGE__->default_auth_store( $store );
use strict;
use warnings;
-use Catalyst::Plugin::Authentication::Store::Minimal::Backend;
+use Catalyst::Plugin::Authentication::User::Hash;
+use Scalar::Util ();
+use base qw/Class::Accessor::Fast/;
+BEGIN {
+ __PACKAGE__->mk_accessors(qw/userhash/);
+}
+
+sub new {
+ my ( $class, $config, $app) = @_;
+
+ bless { userhash => $config->{'users'} }, $class;
+}
+
+sub from_session {
+ my ( $self, $c, $id ) = @_;
+
+ return $id if ref $id;
+
+ $self->find_user( { id => $id } );
+}
+
+## this is not necessarily a good example of what find_user can do, since all we do is
+## look up with the id anyway. find_user can be used to locate a user based on other
+## combinations of data. See C::P::Authentication::Store::DBIx::Class for a better example
+sub find_user {
+ my ( $self, $userinfo, $c ) = @_;
+
+ my $id = $userinfo->{'id'};
+
+ $id ||= $userinfo->{'username'};
+
+ return unless exists $self->userhash->{$id};
+
+ my $user = $self->userhash->{$id};
+
+ if ( ref $user ) {
+ if ( ref $user eq "HASH" ) {
+ $user->{id} ||= $id;
+ return bless $user, "Catalyst::Plugin::Authentication::User::Hash";
+ }
+ else {
+ Catalyst::Exception->throw( "The user '$id' is a reference of type "
+ . ref($user)
+ . " but should be a HASH" );
+ }
+ }
+ else {
+ Catalyst::Exception->throw(
+ "The user '$id' is has to be a hash reference or an object");
+ }
+
+ return $user;
+}
+
+sub user_supports {
+ my $self = shift;
+
+ # choose a random user
+ scalar keys %{ $self->userhash };
+ ( undef, my $user ) = each %{ $self->userhash };
+
+ $user->supports(@_);
+}
+
+## Backwards compatibility
+#
+# This is a backwards compatible routine. get_user is specifically for loading a user by it's unique id
+# find_user is capable of doing the same by simply passing { id => $id }
+# no new code should be written using get_user as it is deprecated.
+sub get_user {
+ my ( $self, $id ) = @_;
+ $self->find_user({id => $id});
+}
+
+## backwards compatibility
sub setup {
my $c = shift;
$c->default_auth_store(
- Catalyst::Plugin::Authentication::Store::Minimal::Backend->new(
+ __PACKAGE__->new(
$c->config->{authentication}, $c
)
);
=head1 NAME
-Catalyst::Plugin::Authentication::Store::Minimal - Authentication
-database in C<< $c->config >>.
+Catalyst::Plugin::Authentication::Store::Minimal - Minimal
+authentication store.
=head1 SYNOPSIS
- use Catalyst qw/
- Authentication
- /;
+ # you probably just want Store::Minimal under most cases,
+ # but if you insist you can instantiate your own store:
- __PACKAGE__->config->{authentication}{users} = {
- name => {
- password => "s3cr3t",
- roles => [qw/admin editor/],
- ...
- },
- };
-
- sub login : Global {
- my ( $self, $c ) = @_;
-
- $c->login( $c->req->param("login"), $c->req->param("password"), );
- }
+ use Catalyst::Plugin::Authentication::Store::Minimal;
+ use Catalyst qw/
+ Authentication
+ /;
+
+ __PACKAGE__->config->{authentication} =
+ {
+ default_realm => 'members',
+ realms => {
+ members => {
+ credential => {
+ class => 'Password'
+ },
+ store => {
+ class => 'Minimal',
+ users = {
+ bob => {
+ password => "s00p3r",
+ editor => 'yes',
+ roles => [qw/edit delete/],
+ },
+ william => {
+ password => "s3cr3t",
+ roles => [qw/comment/],
+ }
+ }
+ }
+ }
+ }
+ };
+
+
=head1 DESCRIPTION
-This authentication store plugin lets you create a very quick and dirty user
+This authentication store lets you create a very quick and dirty user
database in your application's config hash.
You will need to include the Authentication plugin, and at least one Credential
=over 4
+=item class
+
+The classname used for the store. This is part of
+L<Catalyst::Plugin::Authentication> and is the method by which
+Catalyst::Plugin::Authentication::Store::Minimal is loaded as the
+user store. For this module to be used, this must be set to
+'Minimal'.
+
=item users
This is a simple hash of users, the keys are the usenames, and the values are
=back
-=head1 INTERNAL METHODS
+=head1 METHODS
+
+There are no publicly exported routines in the Minimal store (or indeed in
+most authentication stores) However, below is a description of the routines
+required by L<Catalyst::Plugin::Authentication> for all authentication stores.
=over 4
-=item setup
+=item new ( $config, $app )
+
+Constructs a new store object, which uses the user element of the supplied config
+hash ref as it's backing structure.
+
+=item find_user ( $authinfo, $c )
+
+Keys the hash by the 'id' or 'username' element in the authinfo hash and returns the user.
+
+... documentation fairy stopped here. ...
+
+If the return value is unblessed it will be blessed as
+L<Catalyst::Plugin::Authentication::User::Hash>.
+
+=item from_session $id
+
+Delegates to C<get_user>.
+
+=item user_supports
-This method will popultate C<< $c->config->{authentication}{store} >> so that
-L<Catalyst::Plugin::Authentication/default_auth_store> can use it.
+Chooses a random user from the hash and delegates to it.
=back
+++ /dev/null
-#!/usr/bin/perl
-
-package Catalyst::Plugin::Authentication::Store::Minimal::Backend;
-
-use strict;
-use warnings;
-
-use Catalyst::Plugin::Authentication::User::Hash;
-use Scalar::Util ();
-
-sub new {
- my ( $class, $config, $app) = @_;
-
- bless { hash => $config->{'users'} }, $class;
-}
-
-sub from_session {
- my ( $self, $c, $id ) = @_;
-
- return $id if ref $id;
-
- $self->find_user( { id => $id } );
-}
-
-## this is not necessarily a good example of what find_user can do, since all we do is
-## look up with the id anyway. find_user can be used to locate a user based on other
-## combinations of data. See C::P::Authentication::Store::DBIx::Class for a better example
-sub find_user {
- my ( $self, $userinfo, $c ) = @_;
-
- my $id = $userinfo->{'id'};
-
- $id ||= $userinfo->{'username'};
-
- return unless exists $self->{'hash'}{$id};
-
- my $user = $self->{'hash'}{$id};
-
- if ( ref $user ) {
- if ( ref $user eq "HASH" ) {
- $user->{id} ||= $id;
- return bless $user, "Catalyst::Plugin::Authentication::User::Hash";
- }
- else {
- Catalyst::Exception->throw( "The user '$id' is a reference of type "
- . ref($user)
- . " but should be a HASH" );
- }
- }
- else {
- Catalyst::Exception->throw(
- "The user '$id' is has to be a hash reference or an object");
- }
-
- return $user;
-}
-
-sub user_supports {
- my $self = shift;
-
- # choose a random user
- scalar keys %{ $self->{hash} };
- ( undef, my $user ) = each %{ $self->{hash} };
-
- $user->supports(@_);
-}
-
-## Backwards compatibility
-#
-# This is a backwards compatible routine. get_user is specifically for loading a user by it's unique id
-# find_user is capable of doing the same by simply passing { id => $id }
-# no new code should be written using get_user as it is deprecated.
-sub get_user {
- my ( $self, $id ) = @_;
- $self->find_user({id => $id});
-}
-
-
-
-__PACKAGE__;
-
-__END__
-
-=pod
-
-=head1 NAME
-
-Catalyst::Plugin::Authentication::Store::Minimal::Backend - Minimal
-authentication storage backend.
-
-=head1 SYNOPSIS
-
- # you probably just want Store::Minimal under most cases,
- # but if you insist you can instantiate your own store:
-
- use Catalyst::Plugin::Authentication::Store::Minimal::Backend;
-
- use Catalyst qw/
- Authentication
- /;
-
- __PACKAGE__->config->{authentication} =
- {
- default_realm => 'members',
- realms => {
- members => {
- credential => {
- class => 'Password'
- },
- store => {
- class => 'Minimal',
- users = {
- bob => {
- password => "s00p3r",
- editor => 'yes',
- roles => [qw/edit delete/],
- },
- william => {
- password => "s3cr3t",
- roles => [qw/comment/],
- }
- }
- }
- }
- }
- };
-
-
-=head1 DESCRIPTION
-
-This authentication store backend lets you create a very quick and dirty user
-database in your application's config hash.
-
-You will need to include the Authentication plugin, and at least one Credential
-plugin to use this Store. Credential::Password is reccommended.
-
-It's purpose is mainly for testing, and it should probably be replaced by a
-more "serious" store for production.
-
-The hash in the config, as well as the user objects/hashes are freely mutable
-at runtime.
-
-=head1 CONFIGURATION
-
-=over 4
-
-=item class
-
-The classname used for the store. This is part of
-L<Catalyst::Plugin::Authentication> and is the method by which
-Catalyst::Plugin::Authentication::Store::Minimal::Backend is loaded as the
-user store. For this module to be used, this must be set to
-'Minimal'.
-
-=item users
-
-This is a simple hash of users, the keys are the usenames, and the values are
-hashrefs containing a password key/value pair, and optionally, a roles/list
-of role-names pair. If using roles, you will also need to add the
-Authorization::Roles plugin.
-
-See the SYNOPSIS for an example.
-
-=back
-
-=head1 METHODS
-
-There are no publicly exported routines in the Minimal store (or indeed in
-most authentication stores) However, below is a description of the routines
-required by L<Catalyst::Plugin::Authentication> for all authentication stores.
-
-=over 4
-
-=item new ( $config, $app )
-
-Constructs a new store object, which uses the user element of the supplied config
-hash ref as it's backing structure.
-
-=item find_user ( $authinfo, $c )
-
-Keys the hash by the 'id' or 'username' element in the authinfo hash and returns the user.
-
-... documentation fairy stopped here. ...
-
-If the return value is unblessed it will be blessed as
-L<Catalyst::Plugin::Authentication::User::Hash>.
-
-=item from_session $id
-
-Delegates to C<get_user>.
-
-=item user_supports
-
-Chooses a random user from the hash and delegates to it.
-
-=back
-
-=cut
-
-
use strict;
use warnings;
+use base qw/Class::Accessor::Fast/;
+## auth_realm is the realm this user came from.
+BEGIN {
+ __PACKAGE__->mk_accessors(qw/auth_realm/);
+}
+
+## THIS IS NOT A COMPLETE CLASS! it is intended to provide base functionality only.
+## translation - it won't work if you try to use it directly.
## chances are you want to override this.
sub id { shift->get('id'); }
-## returns the realm the user came from - not a good idea to override this.
-sub auth_realm {
- my $self = shift;
- $self->{'realm'};
-}
-
-
## this relies on 'supported_features' being implemented by the subclass..
## but it is not an error if it is not. it just means you support nothing.
## nihilist user objects are welcome here.
return shift;
}
-## this is an internal routine. I suggest you don't rely on it's presence.
-## sets the realm the user came from.
-sub _set_auth_realm {
- my ($self, $realmname) = @_;
- $self->{'realm'} = $realmname;
-}
-
## Backwards Compatibility
## you probably want auth_realm, in fact. but this does work for backwards compatibility.
sub store {
: $data;
}
+## password portion of this is no longer necessary, but here for backwards compatibility.
my %features = (
password => {
clear => ["password"],
projects / catagits/Catalyst-Plugin-Authentication.git / commitdiff