[catagits/Catalyst-Authentication-Credential-HTTP.git] / lib / Catalyst / Authentication / Credential / HTTP.pm

package Catalyst::Authentication::Credential::HTTP;
use base qw/Catalyst::Authentication::Credential::Password/;

use strict;
use warnings;

use String::Escape ();
use URI::Escape    ();
use Catalyst       ();
use Digest::MD5    ();

BEGIN {
    __PACKAGE__->mk_accessors(qw/_config realm/);
}

our $VERSION = "1.005";

sub new {
    my ($class, $config, $app, $realm) = @_;
    
    my $self = { _config => $config, _debug => $app->debug };
    bless $self, $class;
    
    $self->realm($realm);
    
    $self->init;
    return $self;
}    

sub init {
    my ($self) = @_;
    my $type = $self->_config->{'type'} ||= 'any';
    
    if (!grep /$type/, ('basic', 'digest', 'any')) {
        Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type);
    }
}

sub authenticate {
    my ( $self, $c, $realm, $auth_info ) = @_;
    my $auth;

    $auth = $self->authenticate_digest($c, $realm, $auth_info) if $self->_is_http_auth_type('digest');
    return $auth if $auth;

    $auth = $self->authenticate_basic($c, $realm, $auth_info) if $self->_is_http_auth_type('basic');
    return $auth if $auth;
    
    $self->authorization_required_response($c, $realm, $auth_info);
    die $Catalyst::DETACH;
}

sub authenticate_basic {
    my ( $self, $c, $realm, $auth_info ) = @_;

    $c->log->debug('Checking http basic authentication.') if $c->debug;

    my $headers = $c->req->headers;

    if ( my ( $username, $password ) = $headers->authorization_basic ) {
	    my $user_obj = $realm->find_user( { username => $username }, $c);
	    if (ref($user_obj)) {            
            if ($self->check_password($user_obj, {$self->_config->{password_field} => $password})) {
                $c->set_authenticated($user_obj);
                return $user_obj;
            }
        }
        else {
            $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
            return;
        }
    }

    return;
}

sub authenticate_digest {
    my ( $self, $c, $realm, $auth_info ) = @_;

    $c->log->debug('Checking http digest authentication.') if $c->debug;

    my $headers       = $c->req->headers;
    my @authorization = $headers->header('Authorization');
    foreach my $authorization (@authorization) {
        next unless $authorization =~ m{^Digest};
        my %res = map {
            my @key_val = split /=/, $_, 2;
            $key_val[0] = lc $key_val[0];
            $key_val[1] =~ s{"}{}g;    # remove the quotes
            @key_val;
        } split /,\s?/, substr( $authorization, 7 );    #7 == length "Digest "

        my $opaque = $res{opaque};
        my $nonce  = $self->get_digest_authorization_nonce( $c, __PACKAGE__ . '::opaque:' . $opaque );
        next unless $nonce;

        $c->log->debug('Checking authentication parameters.')
          if $c->debug;

        my $uri         = '/' . $c->request->path;
        my $algorithm   = $res{algorithm} || 'MD5';
        my $nonce_count = '0x' . $res{nc};

        my $check = $uri eq $res{uri}
          && ( exists $res{username} )
          && ( exists $res{qop} )
          && ( exists $res{cnonce} )
          && ( exists $res{nc} )
          && $algorithm eq $nonce->algorithm
          && hex($nonce_count) > hex( $nonce->nonce_count )
          && $res{nonce} eq $nonce->nonce;    # TODO: set Stale instead

        unless ($check) {
            $c->log->debug('Digest authentication failed. Bad request.')
              if $c->debug;
            $c->res->status(400);             # bad request
            Carp::confess $Catalyst::DETACH;
        }

        $c->log->debug('Checking authentication response.')
          if $c->debug;

        my $username = $res{username};

        my $user;

        unless ( $user = $auth_info->{user} ) {
            $user = $realm->find_user( { username => $username }, $c);
        }
        unless ($user) {    # no user, no authentication
            $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
            return;
        }

        # everything looks good, let's check the response
        # calculate H(A2) as per spec
        my $ctx = Digest::MD5->new;
        $ctx->add( join( ':', $c->request->method, $res{uri} ) );
        if ( $res{qop} eq 'auth-int' ) {
            my $digest =
              Digest::MD5::md5_hex( $c->request->body );    # not sure here
            $ctx->add( ':', $digest );
        }
        my $A2_digest = $ctx->hexdigest;

        # the idea of the for loop:
        # if we do not want to store the plain password in our user store,
        # we can store md5_hex("$username:$realm:$password") instead
        my $password_field = $self->_config->{password_field};
        for my $r ( 0 .. 1 ) {
            # calculate H(A1) as per spec
            my $A1_digest = $r ? $user->$password_field() : do {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $username, $realm->name, $user->$password_field() ) );
                $ctx->hexdigest;
            };
            if ( $nonce->algorithm eq 'MD5-sess' ) {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
                $A1_digest = $ctx->hexdigest;
            }

            my $digest_in = join( ':',
                    $A1_digest, $res{nonce},
                    $res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
                    $A2_digest );
            my $rq_digest = Digest::MD5::md5_hex($digest_in);
            $nonce->nonce_count($nonce_count);
            $c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
                $nonce );
            if ($rq_digest eq $res{response}) {
                $c->set_authenticated($user);
                return 1;
            }
        }
    }
    return;
}

sub _check_cache {
    my $c = shift;

    die "A cache is needed for http digest authentication."
      unless $c->can('cache');
    return;
}

sub _is_http_auth_type {
    my ( $self, $type ) = @_;
    my $cfgtype = lc( $self->_config->{'type'} || 'any' );
    return 1 if $cfgtype eq 'any' || $cfgtype eq lc $type;
    return 0;
}

sub authorization_required_response {
    my ( $self, $c, $realm, $auth_info ) = @_;

    $c->res->status(401);
    $c->res->content_type('text/plain');
    if (exists $self->_config->{authorization_required_message}) {
        # If you set the key to undef, don't stamp on the body.
        $c->res->body($self->_config->{authorization_required_message}) 
            if defined $c->res->body($self->_config->{authorization_required_message}); 
    }
    else {
        $c->res->body('Authorization required.');
    }

    # *DONT* short circuit
    my $ok;
    $ok++ if $self->_create_digest_auth_response($c, $auth_info);
    $ok++ if $self->_create_basic_auth_response($c, $auth_info);

    unless ( $ok ) {
        die 'Could not build authorization required response. '
        . 'Did you configure a valid authentication http type: '
        . 'basic, digest, any';
    }
    return;
}

sub _add_authentication_header {
    my ( $c, $header ) = @_;
    $c->response->headers->push_header( 'WWW-Authenticate' => $header );
    return;
}

sub _create_digest_auth_response {
    my ( $self, $c, $opts ) = @_;
      
    return unless $self->_is_http_auth_type('digest');
    
    if ( my $digest = $self->_build_digest_auth_header( $c, $opts ) ) {
        _add_authentication_header( $c, $digest );
        return 1;
    }

    return;
}

sub _create_basic_auth_response {
    my ( $self, $c, $opts ) = @_;
    
    return unless $self->_is_http_auth_type('basic');

    if ( my $basic = $self->_build_basic_auth_header( $c, $opts ) ) {
        _add_authentication_header( $c, $basic );
        return 1;
    }

    return;
}

sub _build_auth_header_realm {
    my ( $self, $c, $opts ) = @_;    
    if ( my $realm_name = String::Escape::qprintable($opts->{realm} ? $opts->{realm} : $self->realm->name) ) {
        $realm_name = qq{"$realm_name"} unless $realm_name =~ /^"/;
        return 'realm=' . $realm_name;
    } 
    return;
}

sub _build_auth_header_domain {
    my ( $self, $c, $opts ) = @_;
    if ( my $domain = $opts->{domain} ) {
        Catalyst::Exception->throw("domain must be an array reference")
          unless ref($domain) && ref($domain) eq "ARRAY";

        my @uris =
          $self->_config->{use_uri_for}
          ? ( map { $c->uri_for($_) } @$domain )
          : ( map { URI::Escape::uri_escape($_) } @$domain );

        return qq{domain="@uris"};
    } 
    return;
}

sub _build_auth_header_common {
    my ( $self, $c, $opts ) = @_;
    return (
        $self->_build_auth_header_realm($c, $opts),
        $self->_build_auth_header_domain($c, $opts),
    );
}

sub _build_basic_auth_header {
    my ( $self, $c, $opts ) = @_;
    return _join_auth_header_parts( Basic => $self->_build_auth_header_common( $c, $opts ) );
}

sub _build_digest_auth_header {
    my ( $self, $c, $opts ) = @_;

    my $nonce = $self->_digest_auth_nonce($c, $opts);

    my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
   
    $self->store_digest_authorization_nonce( $c, $key, $nonce );

    return _join_auth_header_parts( Digest =>
        $self->_build_auth_header_common($c, $opts),
        map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
            qop
            nonce
            opaque
            algorithm
        ),
    );
}

sub _digest_auth_nonce {
    my ( $self, $c, $opts ) = @_;

    my $package = __PACKAGE__ . '::Nonce';

    my $nonce   = $package->new;

    if ( my $algorithm = $opts->{algorithm} || $self->_config->{algorithm}) { 
        $nonce->algorithm( $algorithm );
    }

    return $nonce;
}

sub _join_auth_header_parts {
    my ( $type, @parts ) = @_;
    return "$type " . join(", ", @parts );
}

sub get_digest_authorization_nonce {
    my ( $self, $c, $key ) = @_;
    
    _check_cache($c);
    return $c->cache->get( $key );
}

sub store_digest_authorization_nonce {
    my ( $self, $c, $key, $nonce ) = @_;

    _check_cache($c);
    return $c->cache->set( $key, $nonce );
}

package Catalyst::Authentication::Credential::HTTP::Nonce;

use strict;
use base qw[ Class::Accessor::Fast ];
use Data::UUID ();

our $VERSION = '0.02';

__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);

sub new {
    my $class = shift;
    my $self  = $class->SUPER::new(@_);

    $self->nonce( Data::UUID->new->create_b64 );
    $self->opaque( Data::UUID->new->create_b64 );
    $self->qop('auth,auth-int');
    $self->nonce_count('0x0');
    $self->algorithm('MD5');

    return $self;
}

1;

__END__

=pod

=head1 NAME

Catalyst::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
for Catalyst.

=head1 SYNOPSIS

    use Catalyst qw/
        Authentication
    /;

    __PACKAGE__->config( authentication => {
        realms => { 
            example => { 
                credential => { 
                    class => 'HTTP',
                    type  => 'any', # or 'digest' or 'basic'
                    password_type  => 'clear',
                    password_field => 'password'
                },
                store => {
                    class => 'Minimal',
                    users => {
                        Mufasa => { password => "Circle Of Life", },
                    },
                },
            },
        }
    });

    sub foo : Local {
        my ( $self, $c ) = @_;

        $c->authenticate({ realm => "example" }); 
        # either user gets authenticated or 401 is sent
        # Note that the authentication realm sent to the client is overridden
        # here, but this does not affect the Catalyst::Authentication::Realm
        # used for authentication.

        do_stuff();
    }
    
    sub always_auth : Local {
        my ( $self, $c ) = @_;
        
        # Force authorization headers onto the response so that the user
        # is asked again for authentication, even if they successfully
        # authenticated.
        my $realm = $c->get_auth_realm('example');
        $realm->credential->authorization_required_response($c, $realm);
    }

    # with ACL plugin
    __PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate });

=head1 DESCRIPTION

This module lets you use HTTP authentication with
L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
are currently supported.

When authentication is required, this module sets a status of 401, and
the body of the response to 'Authorization required.'. To override
this and set your own content, check for the C<< $c->res->status ==
401 >> in your C<end> action, and change the body accordingly.

=head2 TERMS

=over 4

=item Nonce

A nonce is a one-time value sent with each digest authentication
request header. The value must always be unique, so per default the
last value of the nonce is kept using L<Catalyst::Plugin::Cache>. To
change this behaviour, override the
C<store_digest_authorization_nonce> and
C<get_digest_authorization_nonce> methods as shown below.

=back

=head1 METHODS

=over 4

=item new $config, $c, $realm

Simple constructor.

=item init

Validates that $config is ok.

=item authenticate $c, $realm, \%auth_info

Tries to authenticate the user, and if that fails calls
C<authorization_required_response> and detaches the current action call stack.

Looks inside C<< $c->request->headers >> and processes the digest and basic
(badly named) authorization header.

This will only try the methods set in the configuration. First digest, then basic.

The %auth_info hash can contain a number of keys which control the authentication behaviour:

=over

=item realm

Sets the HTTP authentication realm presented to the client. Note this does not alter the
Catalyst::Authentication::Realm object used for the authentication.

=item domain

Array reference to domains used to build the authorization headers.

This list of domains defines the protection space. If a domain URI is an 
absolute path (starts with /), it is relative to the root URL of the server being accessed. 
An absolute URI in this list may refer to a different server than the one being accessed. 

The client will use this list to determine the set of URIs for which the same authentication 
information may be sent. 

If this is omitted or its value is empty, the client will assume that the
protection space consists of all URIs on the responding server.

Therefore, if your application is not hosted at the root of this domain, and you want to
prevent the authentication credentials for this application being sent to any other applications.
then you should use the I<use_uri_for> configuration option, and pass a domain of I</>.

=back

=item authenticate_basic $c, $realm, \%auth_info

Performs HTTP basic authentication.

=item authenticate_digest $c, $realm, \%auth_info

Performs HTTP digest authentication. Note that the password_type B<must> by I<clear> for
digest authentication to succeed, and you must have L<Catalyst::Plugin::Session> in
your application as digest authentication needs to store persistent data.

Note - if you do not want to store your user passwords as clear text, then it is possible
to store instead the MD5 digest in hex of the string '$username:$realm:$password' 

Takes an additional parameter of I<algorithm>, the possible values of which are 'MD5' (the default)
and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617.

=item authorization_required_response $c, $realm, \%auth_info

Sets C<< $c->response >> to the correct status code, and adds the correct
header to demand authentication data from the user agent.

Typically used by C<authenticate>, but may be invoked manually.

%opts can contain C<domain> and C<algorithm>, which are used to build
%the digest header.

=item store_digest_authorization_nonce $c, $key, $nonce

=item get_digest_authorization_nonce $c, $key

Set or get the C<$nonce> object used by the digest auth mode.

You may override these methods. By default they will call C<get> and C<set> on
C<< $c->cache >>.

=back

=head1 CONFIGURATION

All configuration is stored in C<< YourApp->config(authentication => { yourrealm => { credential => { class => 'HTTP', %config } } } >>.

This should be a hash, and it can contain the following entries:

=over

=item type

Can be either C<any> (the default), C<basic> or C<digest>.

This controls C<authorization_required_response> and C<authenticate>, but
not the "manual" methods.

=item authorization_required_message

Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated.

=item password_type

The type of password returned by the user object. Same usage as in 
L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/password_type>

=item password_field

The name of accessor used to retrieve the value of the password field from the user object. Same usage as in 
L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/password_field>

=item use_uri_for

If this configuration key has a true value, then the domain(s) for the authorization header will be
run through $c->uri_for(). Use this configuration option if your application is not running at the root
of your domain, and you want to ensure that authentication credentials from your application are not shared with
other applications on the same server.

=back

=head1 RESTRICTIONS

When using digest authentication, this module will only work together
with authentication stores whose User objects have a C<password>
method that returns the plain-text password. It will not work together
with L<Catalyst::Authentication::Store::Htpasswd>, or
L<Catalyst::Authentication::Store::DBIC> stores whose
C<password> methods return a hashed or salted version of the password.

=head1 AUTHORS

Updated to current name space and currently maintained
by: Tomas Doran C<bobtfish@bobtfish.net>.

Original module by: 

=over

=item Yuval Kogman, C<nothingmuch@woobling.org>

=item Jess Robinson

=item Sascha Kiefer C<esskar@cpan.org>

=back

=head1 SEE ALSO

RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>

=head1 COPYRIGHT & LICENSE

        Copyright (c) 2005-2008 the aforementioned authors. All rights
        reserved. This program is free software; you can redistribute
        it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
513d8ab6	1	package Catalyst::Authentication::Credential::HTTP;
490754a8	2	use base qw/Catalyst::Authentication::Credential::Password/;
d99b7693	3
	4	use strict;
	5	use warnings;
	6
	7	use String::Escape ();
	8	use URI::Escape ();
	9	use Catalyst ();
	10	use Digest::MD5 ();
	11
513d8ab6	12	BEGIN {
	13	__PACKAGE__->mk_accessors(qw/_config realm/);
	14	}
d99b7693	15
6cd8c8c7	16	our $VERSION = "1.005";
d99b7693	17
513d8ab6	18	sub new {
	19	my ($class, $config, $app, $realm) = @_;
	20
	21	my $self = { _config => $config, _debug => $app->debug };
	22	bless $self, $class;
	23
	24	$self->realm($realm);
	25
41091cd6	26	$self->init;
	27	return $self;
	28	}
	29
	30	sub init {
	31	my ($self) = @_;
513d8ab6	32	my $type = $self->_config->{'type'} \|\|= 'any';
	33
	34	if (!grep /$type/, ('basic', 'digest', 'any')) {
	35	Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type);
	36	}
d99b7693	37	}
d99b7693	38
513d8ab6	39	sub authenticate {
	40	my ( $self, $c, $realm, $auth_info ) = @_;
	41	my $auth;
d99b7693	42
513d8ab6	43	$auth = $self->authenticate_digest($c, $realm, $auth_info) if $self->_is_http_auth_type('digest');
513d8ab6	44	return $auth if $auth;
d99b7693	45
513d8ab6	46	$auth = $self->authenticate_basic($c, $realm, $auth_info) if $self->_is_http_auth_type('basic');
	47	return $auth if $auth;
	48
	49	$self->authorization_required_response($c, $realm, $auth_info);
	50	die $Catalyst::DETACH;
d99b7693	51	}
	52
	53	sub authenticate_basic {
513d8ab6	54	my ( $self, $c, $realm, $auth_info ) = @_;
d99b7693	55
	56	$c->log->debug('Checking http basic authentication.') if $c->debug;
	57
	58	my $headers = $c->req->headers;
	59
	60	if ( my ( $username, $password ) = $headers->authorization_basic ) {
513d8ab6	61	my $user_obj = $realm->find_user( { username => $username }, $c);
513d8ab6	62	if (ref($user_obj)) {
490754a8	63	if ($self->check_password($user_obj, {$self->_config->{password_field} => $password})) {
513d8ab6	64	$c->set_authenticated($user_obj);
513d8ab6	65	return $user_obj;
d99b7693	66	}
d99b7693	67	}
513d8ab6	68	else {
	69	$c->log->debug("Unable to locate user matching user info provided") if $c->debug;
	70	return;
	71	}
d99b7693	72	}
d99b7693	73
513d8ab6	74	return;
d99b7693	75	}
	76
	77	sub authenticate_digest {
513d8ab6	78	my ( $self, $c, $realm, $auth_info ) = @_;
d99b7693	79
	80	$c->log->debug('Checking http digest authentication.') if $c->debug;
	81
	82	my $headers = $c->req->headers;
	83	my @authorization = $headers->header('Authorization');
	84	foreach my $authorization (@authorization) {
	85	next unless $authorization =~ m{^Digest};
d99b7693	86	my %res = map {
	87	my @key_val = split /=/, $_, 2;
	88	$key_val[0] = lc $key_val[0];
	89	$key_val[1] =~ s{"}{}g; # remove the quotes
	90	@key_val;
	91	} split /,\s?/, substr( $authorization, 7 ); #7 == length "Digest "
	92
	93	my $opaque = $res{opaque};
513d8ab6	94	my $nonce = $self->get_digest_authorization_nonce( $c, __PACKAGE__ . '::opaque:' . $opaque );
d99b7693	95	next unless $nonce;
	96
	97	$c->log->debug('Checking authentication parameters.')
	98	if $c->debug;
	99
	100	my $uri = '/' . $c->request->path;
	101	my $algorithm = $res{algorithm} \|\| 'MD5';
	102	my $nonce_count = '0x' . $res{nc};
	103
	104	my $check = $uri eq $res{uri}
	105	&& ( exists $res{username} )
	106	&& ( exists $res{qop} )
	107	&& ( exists $res{cnonce} )
	108	&& ( exists $res{nc} )
	109	&& $algorithm eq $nonce->algorithm
	110	&& hex($nonce_count) > hex( $nonce->nonce_count )
	111	&& $res{nonce} eq $nonce->nonce; # TODO: set Stale instead
	112
	113	unless ($check) {
	114	$c->log->debug('Digest authentication failed. Bad request.')
	115	if $c->debug;
	116	$c->res->status(400); # bad request
513d8ab6	117	Carp::confess $Catalyst::DETACH;
d99b7693	118	}
	119
	120	$c->log->debug('Checking authentication response.')
	121	if $c->debug;
	122
	123	my $username = $res{username};
d99b7693	124
	125	my $user;
	126
513d8ab6	127	unless ( $user = $auth_info->{user} ) {
513d8ab6	128	$user = $realm->find_user( { username => $username }, $c);
d99b7693	129	}
d99b7693	130	unless ($user) { # no user, no authentication
513d8ab6	131	$c->log->debug("Unable to locate user matching user info provided") if $c->debug;
513d8ab6	132	return;
d99b7693	133	}
	134
	135	# everything looks good, let's check the response
d99b7693	136	# calculate H(A2) as per spec
	137	my $ctx = Digest::MD5->new;
	138	$ctx->add( join( ':', $c->request->method, $res{uri} ) );
	139	if ( $res{qop} eq 'auth-int' ) {
	140	my $digest =
	141	Digest::MD5::md5_hex( $c->request->body ); # not sure here
	142	$ctx->add( ':', $digest );
	143	}
	144	my $A2_digest = $ctx->hexdigest;
	145
	146	# the idea of the for loop:
	147	# if we do not want to store the plain password in our user store,
	148	# we can store md5_hex("$username:$realm:$password") instead
490754a8	149	my $password_field = $self->_config->{password_field};
d99b7693	150	for my $r ( 0 .. 1 ) {
d99b7693	151	# calculate H(A1) as per spec
490754a8	152	my $A1_digest = $r ? $user->$password_field() : do {
d99b7693	153	$ctx = Digest::MD5->new;
490754a8	154	$ctx->add( join( ':', $username, $realm->name, $user->$password_field() ) );
d99b7693	155	$ctx->hexdigest;
	156	};
	157	if ( $nonce->algorithm eq 'MD5-sess' ) {
	158	$ctx = Digest::MD5->new;
	159	$ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
	160	$A1_digest = $ctx->hexdigest;
	161	}
	162
513d8ab6	163	my $digest_in = join( ':',
d99b7693	164	$A1_digest, $res{nonce},
d99b7693	165	$res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
513d8ab6	166	$A2_digest );
513d8ab6	167	my $rq_digest = Digest::MD5::md5_hex($digest_in);
d99b7693	168	$nonce->nonce_count($nonce_count);
	169	$c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
	170	$nonce );
513d8ab6	171	if ($rq_digest eq $res{response}) {
	172	$c->set_authenticated($user);
	173	return 1;
	174	}
d99b7693	175	}
d99b7693	176	}
513d8ab6	177	return;
d99b7693	178	}
	179
	180	sub _check_cache {
	181	my $c = shift;
	182
	183	die "A cache is needed for http digest authentication."
	184	unless $c->can('cache');
513d8ab6	185	return;
d99b7693	186	}
	187
	188	sub _is_http_auth_type {
513d8ab6	189	my ( $self, $type ) = @_;
513d8ab6	190	my $cfgtype = lc( $self->_config->{'type'} \|\| 'any' );
d99b7693	191	return 1 if $cfgtype eq 'any' \|\| $cfgtype eq lc $type;
	192	return 0;
	193	}
	194
d99b7693	195	sub authorization_required_response {
513d8ab6	196	my ( $self, $c, $realm, $auth_info ) = @_;
d99b7693	197
	198	$c->res->status(401);
	199	$c->res->content_type('text/plain');
513d8ab6	200	if (exists $self->_config->{authorization_required_message}) {
	201	# If you set the key to undef, don't stamp on the body.
	202	$c->res->body($self->_config->{authorization_required_message})
	203	if defined $c->res->body($self->_config->{authorization_required_message});
	204	}
	205	else {
	206	$c->res->body('Authorization required.');
	207	}
d99b7693	208
	209	# DONT short circuit
	210	my $ok;
513d8ab6	211	$ok++ if $self->_create_digest_auth_response($c, $auth_info);
513d8ab6	212	$ok++ if $self->_create_basic_auth_response($c, $auth_info);
d99b7693	213
	214	unless ( $ok ) {
	215	die 'Could not build authorization required response. '
	216	. 'Did you configure a valid authentication http type: '
	217	. 'basic, digest, any';
	218	}
513d8ab6	219	return;
d99b7693	220	}
	221
	222	sub _add_authentication_header {
	223	my ( $c, $header ) = @_;
513d8ab6	224	$c->response->headers->push_header( 'WWW-Authenticate' => $header );
513d8ab6	225	return;
d99b7693	226	}
	227
	228	sub _create_digest_auth_response {
513d8ab6	229	my ( $self, $c, $opts ) = @_;
d99b7693	230
513d8ab6	231	return unless $self->_is_http_auth_type('digest');
d99b7693	232
513d8ab6	233	if ( my $digest = $self->_build_digest_auth_header( $c, $opts ) ) {
513d8ab6	234	_add_authentication_header( $c, $digest );
d99b7693	235	return 1;
	236	}
	237
	238	return;
	239	}
	240
	241	sub _create_basic_auth_response {
513d8ab6	242	my ( $self, $c, $opts ) = @_;
d99b7693	243
513d8ab6	244	return unless $self->_is_http_auth_type('basic');
d99b7693	245
513d8ab6	246	if ( my $basic = $self->_build_basic_auth_header( $c, $opts ) ) {
513d8ab6	247	_add_authentication_header( $c, $basic );
d99b7693	248	return 1;
	249	}
	250
	251	return;
	252	}
	253
	254	sub _build_auth_header_realm {
bf399285	255	my ( $self, $c, $opts ) = @_;
bf399285	256	if ( my $realm_name = String::Escape::qprintable($opts->{realm} ? $opts->{realm} : $self->realm->name) ) {
513d8ab6	257	$realm_name = qq{"$realm_name"} unless $realm_name =~ /^"/;
	258	return 'realm=' . $realm_name;
	259	}
	260	return;
d99b7693	261	}
	262
	263	sub _build_auth_header_domain {
513d8ab6	264	my ( $self, $c, $opts ) = @_;
d99b7693	265	if ( my $domain = $opts->{domain} ) {
	266	Catalyst::Exception->throw("domain must be an array reference")
	267	unless ref($domain) && ref($domain) eq "ARRAY";
	268
	269	my @uris =
513d8ab6	270	$self->_config->{use_uri_for}
d99b7693	271	? ( map { $c->uri_for($_) } @$domain )
	272	: ( map { URI::Escape::uri_escape($_) } @$domain );
	273
	274	return qq{domain="@uris"};
513d8ab6	275	}
513d8ab6	276	return;
d99b7693	277	}
	278
	279	sub _build_auth_header_common {
513d8ab6	280	my ( $self, $c, $opts ) = @_;
d99b7693	281	return (
bf399285	282	$self->_build_auth_header_realm($c, $opts),
513d8ab6	283	$self->_build_auth_header_domain($c, $opts),
d99b7693	284	);
	285	}
	286
	287	sub _build_basic_auth_header {
513d8ab6	288	my ( $self, $c, $opts ) = @_;
513d8ab6	289	return _join_auth_header_parts( Basic => $self->_build_auth_header_common( $c, $opts ) );
d99b7693	290	}
	291
	292	sub _build_digest_auth_header {
513d8ab6	293	my ( $self, $c, $opts ) = @_;
d99b7693	294
513d8ab6	295	my $nonce = $self->_digest_auth_nonce($c, $opts);
d99b7693	296
	297	my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
	298
513d8ab6	299	$self->store_digest_authorization_nonce( $c, $key, $nonce );
a14203f8	300
513d8ab6	301	return _join_auth_header_parts( Digest =>
513d8ab6	302	$self->_build_auth_header_common($c, $opts),
d99b7693	303	map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
	304	qop
	305	nonce
	306	opaque
	307	algorithm
	308	),
	309	);
	310	}
a14203f8	311
d99b7693	312	sub _digest_auth_nonce {
513d8ab6	313	my ( $self, $c, $opts ) = @_;
d99b7693	314
	315	my $package = __PACKAGE__ . '::Nonce';
	316
	317	my $nonce = $package->new;
	318
513d8ab6	319	if ( my $algorithm = $opts->{algorithm} \|\| $self->_config->{algorithm}) {
d99b7693	320	$nonce->algorithm( $algorithm );
	321	}
	322
	323	return $nonce;
	324	}
	325
	326	sub _join_auth_header_parts {
513d8ab6	327	my ( $type, @parts ) = @_;
d99b7693	328	return "$type " . join(", ", @parts );
	329	}
	330
	331	sub get_digest_authorization_nonce {
513d8ab6	332	my ( $self, $c, $key ) = @_;
	333
	334	_check_cache($c);
	335	return $c->cache->get( $key );
d99b7693	336	}
	337
	338	sub store_digest_authorization_nonce {
513d8ab6	339	my ( $self, $c, $key, $nonce ) = @_;
d99b7693	340
513d8ab6	341	_check_cache($c);
513d8ab6	342	return $c->cache->set( $key, $nonce );
d99b7693	343	}
d99b7693	344
513d8ab6	345	package Catalyst::Authentication::Credential::HTTP::Nonce;
d99b7693	346
	347	use strict;
	348	use base qw[ Class::Accessor::Fast ];
	349	use Data::UUID ();
	350
513d8ab6	351	our $VERSION = '0.02';
d99b7693	352
	353	__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);
	354
	355	sub new {
	356	my $class = shift;
	357	my $self = $class->SUPER::new(@_);
	358
	359	$self->nonce( Data::UUID->new->create_b64 );
	360	$self->opaque( Data::UUID->new->create_b64 );
	361	$self->qop('auth,auth-int');
	362	$self->nonce_count('0x0');
	363	$self->algorithm('MD5');
	364
	365	return $self;
	366	}
a14203f8	367
a14203f8	368	1;
a14203f8	369
a14203f8	370	__END__
a14203f8	371
a14203f8	372	=pod
a14203f8	373
a14203f8	374	=head1 NAME
a14203f8	375
513d8ab6	376	Catalyst::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
53306b93	377	for Catalyst.
a14203f8	378
a14203f8	379	=head1 SYNOPSIS
a14203f8	380
a14203f8	381	use Catalyst qw/
a14203f8	382	Authentication
a14203f8	383	/;
a14203f8	384
513d8ab6	385	__PACKAGE__->config( authentication => {
	386	realms => {
	387	example => {
	388	credential => {
	389	class => 'HTTP',
	390	type => 'any', # or 'digest' or 'basic'
490754a8	391	password_type => 'clear',
490754a8	392	password_field => 'password'
513d8ab6	393	},
	394	store => {
	395	class => 'Minimal',
	396	users => {
	397	Mufasa => { password => "Circle Of Life", },
	398	},
	399	},
	400	},
	401	}
	402	});
d99b7693	403
	404	sub foo : Local {
	405	my ( $self, $c ) = @_;
	406
513d8ab6	407	$c->authenticate({ realm => "example" });
d99b7693	408	# either user gets authenticated or 401 is sent
bf399285	409	# Note that the authentication realm sent to the client is overridden
	410	# here, but this does not affect the Catalyst::Authentication::Realm
	411	# used for authentication.
d99b7693	412
	413	do_stuff();
	414	}
031f556c	415
	416	sub always_auth : Local {
	417	my ( $self, $c ) = @_;
	418
	419	# Force authorization headers onto the response so that the user
	420	# is asked again for authentication, even if they successfully
	421	# authenticated.
	422	my $realm = $c->get_auth_realm('example');
	423	$realm->credential->authorization_required_response($c, $realm);
	424	}
d99b7693	425
d99b7693	426	# with ACL plugin
513d8ab6	427	__PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate });
d99b7693	428
a14203f8	429	=head1 DESCRIPTION
a14203f8	430
513d8ab6	431	This module lets you use HTTP authentication with
d99b7693	432	L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
	433	are currently supported.
	434
	435	When authentication is required, this module sets a status of 401, and
	436	the body of the response to 'Authorization required.'. To override
	437	this and set your own content, check for the C<< $c->res->status ==
	438	401 >> in your C<end> action, and change the body accordingly.
	439
	440	=head2 TERMS
	441
	442	=over 4
	443
	444	=item Nonce
	445
	446	A nonce is a one-time value sent with each digest authentication
	447	request header. The value must always be unique, so per default the
	448	last value of the nonce is kept using L<Catalyst::Plugin::Cache>. To
	449	change this behaviour, override the
	450	C<store_digest_authorization_nonce> and
	451	C<get_digest_authorization_nonce> methods as shown below.
	452
	453	=back
	454
	455	=head1 METHODS
	456
	457	=over 4
	458
513d8ab6	459	=item new $config, $c, $realm
d99b7693	460
513d8ab6	461	Simple constructor.
d99b7693	462
41091cd6	463	=item init
	464
	465	Validates that $config is ok.
	466
513d8ab6	467	=item authenticate $c, $realm, \%auth_info
d99b7693	468
513d8ab6	469	Tries to authenticate the user, and if that fails calls
513d8ab6	470	C<authorization_required_response> and detaches the current action call stack.
d99b7693	471
	472	Looks inside C<< $c->request->headers >> and processes the digest and basic
	473	(badly named) authorization header.
	474
	475	This will only try the methods set in the configuration. First digest, then basic.
	476
bf399285	477	The %auth_info hash can contain a number of keys which control the authentication behaviour:
	478
	479	=over
	480
	481	=item realm
	482
	483	Sets the HTTP authentication realm presented to the client. Note this does not alter the
	484	Catalyst::Authentication::Realm object used for the authentication.
	485
05512a69	486	=item domain
bf399285	487
05512a69	488	Array reference to domains used to build the authorization headers.
bf399285	489
ea92acf7	490	This list of domains defines the protection space. If a domain URI is an
	491	absolute path (starts with /), it is relative to the root URL of the server being accessed.
	492	An absolute URI in this list may refer to a different server than the one being accessed.
	493
	494	The client will use this list to determine the set of URIs for which the same authentication
	495	information may be sent.
	496
	497	If this is omitted or its value is empty, the client will assume that the
	498	protection space consists of all URIs on the responding server.
	499
	500	Therefore, if your application is not hosted at the root of this domain, and you want to
	501	prevent the authentication credentials for this application being sent to any other applications.
	502	then you should use the I<use_uri_for> configuration option, and pass a domain of I</>.
	503
bf399285	504	=back
d99b7693	505
513d8ab6	506	=item authenticate_basic $c, $realm, \%auth_info
d99b7693	507
bf399285	508	Performs HTTP basic authentication.
490754a8	509
513d8ab6	510	=item authenticate_digest $c, $realm, \%auth_info
d99b7693	511
bf399285	512	Performs HTTP digest authentication. Note that the password_type B<must> by I<clear> for
c5a1fa88	513	digest authentication to succeed, and you must have L<Catalyst::Plugin::Session> in
	514	your application as digest authentication needs to store persistent data.
	515
	516	Note - if you do not want to store your user passwords as clear text, then it is possible
	517	to store instead the MD5 digest in hex of the string '$username:$realm:$password'
d99b7693	518
ea92acf7	519	Takes an additional parameter of I<algorithm>, the possible values of which are 'MD5' (the default)
	520	and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617.
	521
513d8ab6	522	=item authorization_required_response $c, $realm, \%auth_info
d99b7693	523
	524	Sets C<< $c->response >> to the correct status code, and adds the correct
	525	header to demand authentication data from the user agent.
	526
513d8ab6	527	Typically used by C<authenticate>, but may be invoked manually.
d99b7693	528
513d8ab6	529	%opts can contain C<domain> and C<algorithm>, which are used to build
d99b7693	530	%the digest header.
d99b7693	531
513d8ab6	532	=item store_digest_authorization_nonce $c, $key, $nonce
d99b7693	533
513d8ab6	534	=item get_digest_authorization_nonce $c, $key
d99b7693	535
	536	Set or get the C<$nonce> object used by the digest auth mode.
	537
	538	You may override these methods. By default they will call C<get> and C<set> on
	539	C<< $c->cache >>.
	540
d99b7693	541	=back
	542
	543	=head1 CONFIGURATION
	544
513d8ab6	545	All configuration is stored in C<< YourApp->config(authentication => { yourrealm => { credential => { class => 'HTTP', %config } } } >>.
d99b7693	546
	547	This should be a hash, and it can contain the following entries:
	548
05512a69	549	=over
d99b7693	550
d99b7693	551	=item type
	552
	553	Can be either C<any> (the default), C<basic> or C<digest>.
	554
513d8ab6	555	This controls C<authorization_required_response> and C<authenticate>, but
d99b7693	556	not the "manual" methods.
	557
	558	=item authorization_required_message
	559
513d8ab6	560	Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated.
d99b7693	561
05512a69	562	=item password_type
05512a69	563
f1f73b53	564	The type of password returned by the user object. Same usage as in
b56120cd	565	L<Catalyst::Authentication::Credential::Password\|Catalyst::Authentication::Credential::Password/password_type>
05512a69	566
	567	=item password_field
	568
f1f73b53	569	The name of accessor used to retrieve the value of the password field from the user object. Same usage as in
05512a69	570	L<Catalyst::Authentication::Credential::Password\|Catalyst::Authentication::Credential::Password/password_field>
	571
	572	=item use_uri_for
	573
	574	If this configuration key has a true value, then the domain(s) for the authorization header will be
ea92acf7	575	run through $c->uri_for(). Use this configuration option if your application is not running at the root
	576	of your domain, and you want to ensure that authentication credentials from your application are not shared with
	577	other applications on the same server.
05512a69	578
d99b7693	579	=back
	580
	581	=head1 RESTRICTIONS
	582
	583	When using digest authentication, this module will only work together
	584	with authentication stores whose User objects have a C<password>
	585	method that returns the plain-text password. It will not work together
	586	with L<Catalyst::Authentication::Store::Htpasswd>, or
513d8ab6	587	L<Catalyst::Authentication::Store::DBIC> stores whose
d99b7693	588	C<password> methods return a hashed or salted version of the password.
c7b3e379	589
a14203f8	590	=head1 AUTHORS
a14203f8	591
513d8ab6	592	Updated to current name space and currently maintained
	593	by: Tomas Doran C<bobtfish@bobtfish.net>.
	594
	595	Original module by:
	596
	597	=over
a14203f8	598
513d8ab6	599	=item Yuval Kogman, C<nothingmuch@woobling.org>
a14203f8	600
513d8ab6	601	=item Jess Robinson
	602
	603	=item Sascha Kiefer C<esskar@cpan.org>
	604
	605	=back
a14203f8	606
c7b3e379	607	=head1 SEE ALSO
c7b3e379	608
d99b7693	609	RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>
c7b3e379	610
a14203f8	611	=head1 COPYRIGHT & LICENSE
a14203f8	612
513d8ab6	613	Copyright (c) 2005-2008 the aforementioned authors. All rights
a14203f8	614	reserved. This program is free software; you can redistribute
a14203f8	615	it and/or modify it under the same terms as Perl itself.
a14203f8	616
a14203f8	617	=cut
513d8ab6	618