[catagits/Catalyst-Authentication-Credential-HTTP.git] / lib / Catalyst / Authentication / Credential / HTTP.pm

package Catalyst::Authentication::Credential::HTTP;
use base qw/Catalyst::Authentication::Credential::Password/;

use strict;
use warnings;

use String::Escape ();
use URI::Escape    ();
use Catalyst       ();
use Digest::MD5    ();

BEGIN {
    __PACKAGE__->mk_accessors(qw/_config realm/);
}

our $VERSION = "1.004";

sub new {
    my ($class, $config, $app, $realm) = @_;
    
    my $self = { _config => $config, _debug => $app->debug };
    bless $self, $class;
    
    $self->realm($realm);
    
    my $type = $self->_config->{'type'} ||= 'any';
    
    if (!grep /$type/, ('basic', 'digest', 'any')) {
        Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type);
    }
    return $self;
}

sub authenticate {
    my ( $self, $c, $realm, $auth_info ) = @_;
    my $auth;

    $auth = $self->authenticate_digest($c, $realm, $auth_info) if $self->_is_http_auth_type('digest');
    return $auth if $auth;

    $auth = $self->authenticate_basic($c, $realm, $auth_info) if $self->_is_http_auth_type('basic');
    return $auth if $auth;
    
    $self->authorization_required_response($c, $realm, $auth_info);
    die $Catalyst::DETACH;
}

sub authenticate_basic {
    my ( $self, $c, $realm, $auth_info ) = @_;

    $c->log->debug('Checking http basic authentication.') if $c->debug;

    my $headers = $c->req->headers;

    if ( my ( $username, $password ) = $headers->authorization_basic ) {
	    my $user_obj = $realm->find_user( { username => $username }, $c);
	    if (ref($user_obj)) {            
            if ($self->check_password($user_obj, {$self->_config->{password_field} => $password})) {
                $c->set_authenticated($user_obj);
                return $user_obj;
            }
        }
        else {
            $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
            return;
        }
    }

    return;
}

sub authenticate_digest {
    my ( $self, $c, $realm, $auth_info ) = @_;

    $c->log->debug('Checking http digest authentication.') if $c->debug;

    my $headers       = $c->req->headers;
    my @authorization = $headers->header('Authorization');
    foreach my $authorization (@authorization) {
        next unless $authorization =~ m{^Digest};
        my %res = map {
            my @key_val = split /=/, $_, 2;
            $key_val[0] = lc $key_val[0];
            $key_val[1] =~ s{"}{}g;    # remove the quotes
            @key_val;
        } split /,\s?/, substr( $authorization, 7 );    #7 == length "Digest "

        my $opaque = $res{opaque};
        my $nonce  = $self->get_digest_authorization_nonce( $c, __PACKAGE__ . '::opaque:' . $opaque );
        next unless $nonce;

        $c->log->debug('Checking authentication parameters.')
          if $c->debug;

        my $uri         = '/' . $c->request->path;
        my $algorithm   = $res{algorithm} || 'MD5';
        my $nonce_count = '0x' . $res{nc};

        my $check = $uri eq $res{uri}
          && ( exists $res{username} )
          && ( exists $res{qop} )
          && ( exists $res{cnonce} )
          && ( exists $res{nc} )
          && $algorithm eq $nonce->algorithm
          && hex($nonce_count) > hex( $nonce->nonce_count )
          && $res{nonce} eq $nonce->nonce;    # TODO: set Stale instead

        unless ($check) {
            $c->log->debug('Digest authentication failed. Bad request.')
              if $c->debug;
            $c->res->status(400);             # bad request
            Carp::confess $Catalyst::DETACH;
        }

        $c->log->debug('Checking authentication response.')
          if $c->debug;

        my $username = $res{username};

        my $user;

        unless ( $user = $auth_info->{user} ) {
            $user = $realm->find_user( { username => $username }, $c);
        }
        unless ($user) {    # no user, no authentication
            $c->log->debug("Unable to locate user matching user info provided") if $c->debug;
            return;
        }

        # everything looks good, let's check the response
        # calculate H(A2) as per spec
        my $ctx = Digest::MD5->new;
        $ctx->add( join( ':', $c->request->method, $res{uri} ) );
        if ( $res{qop} eq 'auth-int' ) {
            my $digest =
              Digest::MD5::md5_hex( $c->request->body );    # not sure here
            $ctx->add( ':', $digest );
        }
        my $A2_digest = $ctx->hexdigest;

        # the idea of the for loop:
        # if we do not want to store the plain password in our user store,
        # we can store md5_hex("$username:$realm:$password") instead
        my $password_field = $self->_config->{password_field};
        for my $r ( 0 .. 1 ) {
            # calculate H(A1) as per spec
            my $A1_digest = $r ? $user->$password_field() : do {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $username, $realm->name, $user->$password_field() ) );
                $ctx->hexdigest;
            };
            if ( $nonce->algorithm eq 'MD5-sess' ) {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
                $A1_digest = $ctx->hexdigest;
            }

            my $digest_in = join( ':',
                    $A1_digest, $res{nonce},
                    $res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
                    $A2_digest );
            my $rq_digest = Digest::MD5::md5_hex($digest_in);
            $nonce->nonce_count($nonce_count);
            $c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
                $nonce );
            if ($rq_digest eq $res{response}) {
                $c->set_authenticated($user);
                return 1;
            }
        }
    }
    return;
}

sub _check_cache {
    my $c = shift;

    die "A cache is needed for http digest authentication."
      unless $c->can('cache');
    return;
}

sub _is_http_auth_type {
    my ( $self, $type ) = @_;
    my $cfgtype = lc( $self->_config->{'type'} || 'any' );
    return 1 if $cfgtype eq 'any' || $cfgtype eq lc $type;
    return 0;
}

sub authorization_required_response {
    my ( $self, $c, $realm, $auth_info ) = @_;

    $c->res->status(401);
    $c->res->content_type('text/plain');
    if (exists $self->_config->{authorization_required_message}) {
        # If you set the key to undef, don't stamp on the body.
        $c->res->body($self->_config->{authorization_required_message}) 
            if defined $c->res->body($self->_config->{authorization_required_message}); 
    }
    else {
        $c->res->body('Authorization required.');
    }

    # *DONT* short circuit
    my $ok;
    $ok++ if $self->_create_digest_auth_response($c, $auth_info);
    $ok++ if $self->_create_basic_auth_response($c, $auth_info);

    unless ( $ok ) {
        die 'Could not build authorization required response. '
        . 'Did you configure a valid authentication http type: '
        . 'basic, digest, any';
    }
    return;
}

sub _add_authentication_header {
    my ( $c, $header ) = @_;
    $c->response->headers->push_header( 'WWW-Authenticate' => $header );
    return;
}

sub _create_digest_auth_response {
    my ( $self, $c, $opts ) = @_;
      
    return unless $self->_is_http_auth_type('digest');
    
    if ( my $digest = $self->_build_digest_auth_header( $c, $opts ) ) {
        _add_authentication_header( $c, $digest );
        return 1;
    }

    return;
}

sub _create_basic_auth_response {
    my ( $self, $c, $opts ) = @_;
    
    return unless $self->_is_http_auth_type('basic');

    if ( my $basic = $self->_build_basic_auth_header( $c, $opts ) ) {
        _add_authentication_header( $c, $basic );
        return 1;
    }

    return;
}

sub _build_auth_header_realm {
    my ( $self, $c, $opts ) = @_;    
    if ( my $realm_name = String::Escape::qprintable($opts->{realm} ? $opts->{realm} : $self->realm->name) ) {
        $realm_name = qq{"$realm_name"} unless $realm_name =~ /^"/;
        return 'realm=' . $realm_name;
    } 
    return;
}

sub _build_auth_header_domain {
    my ( $self, $c, $opts ) = @_;
    if ( my $domain = $opts->{domain} ) {
        Catalyst::Exception->throw("domain must be an array reference")
          unless ref($domain) && ref($domain) eq "ARRAY";

        my @uris =
          $self->_config->{use_uri_for}
          ? ( map { $c->uri_for($_) } @$domain )
          : ( map { URI::Escape::uri_escape($_) } @$domain );

        return qq{domain="@uris"};
    } 
    return;
}

sub _build_auth_header_common {
    my ( $self, $c, $opts ) = @_;
    return (
        $self->_build_auth_header_realm($c, $opts),
        $self->_build_auth_header_domain($c, $opts),
    );
}

sub _build_basic_auth_header {
    my ( $self, $c, $opts ) = @_;
    return _join_auth_header_parts( Basic => $self->_build_auth_header_common( $c, $opts ) );
}

sub _build_digest_auth_header {
    my ( $self, $c, $opts ) = @_;

    my $nonce = $self->_digest_auth_nonce($c, $opts);

    my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
   
    $self->store_digest_authorization_nonce( $c, $key, $nonce );

    return _join_auth_header_parts( Digest =>
        $self->_build_auth_header_common($c, $opts),
        map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
            qop
            nonce
            opaque
            algorithm
        ),
    );
}

sub _digest_auth_nonce {
    my ( $self, $c, $opts ) = @_;

    my $package = __PACKAGE__ . '::Nonce';

    my $nonce   = $package->new;

    if ( my $algorithm = $opts->{algorithm} || $self->_config->{algorithm}) { 
        $nonce->algorithm( $algorithm );
    }

    return $nonce;
}

sub _join_auth_header_parts {
    my ( $type, @parts ) = @_;
    return "$type " . join(", ", @parts );
}

sub get_digest_authorization_nonce {
    my ( $self, $c, $key ) = @_;
    
    _check_cache($c);
    return $c->cache->get( $key );
}

sub store_digest_authorization_nonce {
    my ( $self, $c, $key, $nonce ) = @_;

    _check_cache($c);
    return $c->cache->set( $key, $nonce );
}

package Catalyst::Authentication::Credential::HTTP::Nonce;

use strict;
use base qw[ Class::Accessor::Fast ];
use Data::UUID ();

our $VERSION = '0.02';

__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);

sub new {
    my $class = shift;
    my $self  = $class->SUPER::new(@_);

    $self->nonce( Data::UUID->new->create_b64 );
    $self->opaque( Data::UUID->new->create_b64 );
    $self->qop('auth,auth-int');
    $self->nonce_count('0x0');
    $self->algorithm('MD5');

    return $self;
}

1;

__END__

=pod

=head1 NAME

Catalyst::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
for Catalyst.

=head1 SYNOPSIS

    use Catalyst qw/
        Authentication
    /;

    __PACKAGE__->config( authentication => {
        realms => { 
            example => { 
                credential => { 
                    class => 'HTTP',
                    type  => 'any', # or 'digest' or 'basic'
                    password_type  => 'clear',
                    password_field => 'password'
                },
                store => {
                    class => 'Minimal',
                    users => {
                        Mufasa => { password => "Circle Of Life", },
                    },
                },
            },
        }
    });

    sub foo : Local {
        my ( $self, $c ) = @_;

        $c->authenticate({ realm => "example" }); 
        # either user gets authenticated or 401 is sent
        # Note that the authentication realm sent to the client is overridden
        # here, but this does not affect the Catalyst::Authentication::Realm
        # used for authentication.

        do_stuff();
    }
    
    sub always_auth : Local {
        my ( $self, $c ) = @_;
        
        # Force authorization headers onto the response so that the user
        # is asked again for authentication, even if they successfully
        # authenticated.
        my $realm = $c->get_auth_realm('example');
        $realm->credential->authorization_required_response($c, $realm);
    }

    # with ACL plugin
    __PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate });

=head1 DESCRIPTION

This module lets you use HTTP authentication with
L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
are currently supported.

When authentication is required, this module sets a status of 401, and
the body of the response to 'Authorization required.'. To override
this and set your own content, check for the C<< $c->res->status ==
401 >> in your C<end> action, and change the body accordingly.

=head2 TERMS

=over 4

=item Nonce

A nonce is a one-time value sent with each digest authentication
request header. The value must always be unique, so per default the
last value of the nonce is kept using L<Catalyst::Plugin::Cache>. To
change this behaviour, override the
C<store_digest_authorization_nonce> and
C<get_digest_authorization_nonce> methods as shown below.

=back

=head1 METHODS

=over 4

=item new $config, $c, $realm

Simple constructor.

=item authenticate $c, $realm, \%auth_info

Tries to authenticate the user, and if that fails calls
C<authorization_required_response> and detaches the current action call stack.

Looks inside C<< $c->request->headers >> and processes the digest and basic
(badly named) authorization header.

This will only try the methods set in the configuration. First digest, then basic.

The %auth_info hash can contain a number of keys which control the authentication behaviour:

=over

=item realm

Sets the HTTP authentication realm presented to the client. Note this does not alter the
Catalyst::Authentication::Realm object used for the authentication.

=item domain

Array reference to domains used to build the authorization headers.

This list of domains defines the protection space. If a domain URI is an 
absolute path (starts with /), it is relative to the root URL of the server being accessed. 
An absolute URI in this list may refer to a different server than the one being accessed. 

The client will use this list to determine the set of URIs for which the same authentication 
information may be sent. 

If this is omitted or its value is empty, the client will assume that the
protection space consists of all URIs on the responding server.

Therefore, if your application is not hosted at the root of this domain, and you want to
prevent the authentication credentials for this application being sent to any other applications.
then you should use the I<use_uri_for> configuration option, and pass a domain of I</>.

=back

=item authenticate_basic $c, $realm, \%auth_info

Performs HTTP basic authentication.

=item authenticate_digest $c, $realm, \%auth_info

Performs HTTP digest authentication. Note that the password_type B<must> by I<clear> for
digest authentication to succeed, and you must have L<Catalyst::Plugin::Session> in
your application as digest authentication needs to store persistent data.

Note - if you do not want to store your user passwords as clear text, then it is possible
to store instead the MD5 digest in hex of the string '$username:$realm:$password' 

Takes an additional parameter of I<algorithm>, the possible values of which are 'MD5' (the default)
and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617.

=item authorization_required_response $c, $realm, \%auth_info

Sets C<< $c->response >> to the correct status code, and adds the correct
header to demand authentication data from the user agent.

Typically used by C<authenticate>, but may be invoked manually.

%opts can contain C<domain> and C<algorithm>, which are used to build
%the digest header.

=item store_digest_authorization_nonce $c, $key, $nonce

=item get_digest_authorization_nonce $c, $key

Set or get the C<$nonce> object used by the digest auth mode.

You may override these methods. By default they will call C<get> and C<set> on
C<< $c->cache >>.

=back

=head1 CONFIGURATION

All configuration is stored in C<< YourApp->config(authentication => { yourrealm => { credential => { class => 'HTTP', %config } } } >>.

This should be a hash, and it can contain the following entries:

=over

=item type

Can be either C<any> (the default), C<basic> or C<digest>.

This controls C<authorization_required_response> and C<authenticate>, but
not the "manual" methods.

=item authorization_required_message

Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated.

=item password_type

The type of password returned by the user object. Same usage as in 
L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/passwprd_type>

=item password_field

The name of accessor used to retrieve the value of the password field from the user object. Same usage as in 
L<Catalyst::Authentication::Credential::Password|Catalyst::Authentication::Credential::Password/password_field>

=item use_uri_for

If this configuration key has a true value, then the domain(s) for the authorization header will be
run through $c->uri_for(). Use this configuration option if your application is not running at the root
of your domain, and you want to ensure that authentication credentials from your application are not shared with
other applications on the same server.

=back

=head1 RESTRICTIONS

When using digest authentication, this module will only work together
with authentication stores whose User objects have a C<password>
method that returns the plain-text password. It will not work together
with L<Catalyst::Authentication::Store::Htpasswd>, or
L<Catalyst::Authentication::Store::DBIC> stores whose
C<password> methods return a hashed or salted version of the password.

=head1 AUTHORS

Updated to current name space and currently maintained
by: Tomas Doran C<bobtfish@bobtfish.net>.

Original module by: 

=over

=item Yuval Kogman, C<nothingmuch@woobling.org>

=item Jess Robinson

=item Sascha Kiefer C<esskar@cpan.org>

=back

=head1 SEE ALSO

RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>

=head1 COPYRIGHT & LICENSE

        Copyright (c) 2005-2008 the aforementioned authors. All rights
        reserved. This program is free software; you can redistribute
        it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
513d8ab6	1	package Catalyst::Authentication::Credential::HTTP;
490754a8	2	use base qw/Catalyst::Authentication::Credential::Password/;
d99b7693	3
	4	use strict;
	5	use warnings;
	6
	7	use String::Escape ();
	8	use URI::Escape ();
	9	use Catalyst ();
	10	use Digest::MD5 ();
	11
513d8ab6	12	BEGIN {
	13	__PACKAGE__->mk_accessors(qw/_config realm/);
	14	}
d99b7693	15
c5a1fa88	16	our $VERSION = "1.004";
d99b7693	17
513d8ab6	18	sub new {
	19	my ($class, $config, $app, $realm) = @_;
	20
	21	my $self = { _config => $config, _debug => $app->debug };
	22	bless $self, $class;
	23
	24	$self->realm($realm);
	25
	26	my $type = $self->_config->{'type'} \|\|= 'any';
	27
	28	if (!grep /$type/, ('basic', 'digest', 'any')) {
	29	Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type);
	30	}
	31	return $self;
d99b7693	32	}
d99b7693	33
513d8ab6	34	sub authenticate {
	35	my ( $self, $c, $realm, $auth_info ) = @_;
	36	my $auth;
d99b7693	37
513d8ab6	38	$auth = $self->authenticate_digest($c, $realm, $auth_info) if $self->_is_http_auth_type('digest');
513d8ab6	39	return $auth if $auth;
d99b7693	40
513d8ab6	41	$auth = $self->authenticate_basic($c, $realm, $auth_info) if $self->_is_http_auth_type('basic');
	42	return $auth if $auth;
	43
	44	$self->authorization_required_response($c, $realm, $auth_info);
	45	die $Catalyst::DETACH;
d99b7693	46	}
	47
	48	sub authenticate_basic {
513d8ab6	49	my ( $self, $c, $realm, $auth_info ) = @_;
d99b7693	50
	51	$c->log->debug('Checking http basic authentication.') if $c->debug;
	52
	53	my $headers = $c->req->headers;
	54
	55	if ( my ( $username, $password ) = $headers->authorization_basic ) {
513d8ab6	56	my $user_obj = $realm->find_user( { username => $username }, $c);
513d8ab6	57	if (ref($user_obj)) {
490754a8	58	if ($self->check_password($user_obj, {$self->_config->{password_field} => $password})) {
513d8ab6	59	$c->set_authenticated($user_obj);
513d8ab6	60	return $user_obj;
d99b7693	61	}
d99b7693	62	}
513d8ab6	63	else {
	64	$c->log->debug("Unable to locate user matching user info provided") if $c->debug;
	65	return;
	66	}
d99b7693	67	}
d99b7693	68
513d8ab6	69	return;
d99b7693	70	}
	71
	72	sub authenticate_digest {
513d8ab6	73	my ( $self, $c, $realm, $auth_info ) = @_;
d99b7693	74
	75	$c->log->debug('Checking http digest authentication.') if $c->debug;
	76
	77	my $headers = $c->req->headers;
	78	my @authorization = $headers->header('Authorization');
	79	foreach my $authorization (@authorization) {
	80	next unless $authorization =~ m{^Digest};
d99b7693	81	my %res = map {
	82	my @key_val = split /=/, $_, 2;
	83	$key_val[0] = lc $key_val[0];
	84	$key_val[1] =~ s{"}{}g; # remove the quotes
	85	@key_val;
	86	} split /,\s?/, substr( $authorization, 7 ); #7 == length "Digest "
	87
	88	my $opaque = $res{opaque};
513d8ab6	89	my $nonce = $self->get_digest_authorization_nonce( $c, __PACKAGE__ . '::opaque:' . $opaque );
d99b7693	90	next unless $nonce;
	91
	92	$c->log->debug('Checking authentication parameters.')
	93	if $c->debug;
	94
	95	my $uri = '/' . $c->request->path;
	96	my $algorithm = $res{algorithm} \|\| 'MD5';
	97	my $nonce_count = '0x' . $res{nc};
	98
	99	my $check = $uri eq $res{uri}
	100	&& ( exists $res{username} )
	101	&& ( exists $res{qop} )
	102	&& ( exists $res{cnonce} )
	103	&& ( exists $res{nc} )
	104	&& $algorithm eq $nonce->algorithm
	105	&& hex($nonce_count) > hex( $nonce->nonce_count )
	106	&& $res{nonce} eq $nonce->nonce; # TODO: set Stale instead
	107
	108	unless ($check) {
	109	$c->log->debug('Digest authentication failed. Bad request.')
	110	if $c->debug;
	111	$c->res->status(400); # bad request
513d8ab6	112	Carp::confess $Catalyst::DETACH;
d99b7693	113	}
	114
	115	$c->log->debug('Checking authentication response.')
	116	if $c->debug;
	117
	118	my $username = $res{username};
d99b7693	119
	120	my $user;
	121
513d8ab6	122	unless ( $user = $auth_info->{user} ) {
513d8ab6	123	$user = $realm->find_user( { username => $username }, $c);
d99b7693	124	}
d99b7693	125	unless ($user) { # no user, no authentication
513d8ab6	126	$c->log->debug("Unable to locate user matching user info provided") if $c->debug;
513d8ab6	127	return;
d99b7693	128	}
	129
	130	# everything looks good, let's check the response
d99b7693	131	# calculate H(A2) as per spec
	132	my $ctx = Digest::MD5->new;
	133	$ctx->add( join( ':', $c->request->method, $res{uri} ) );
	134	if ( $res{qop} eq 'auth-int' ) {
	135	my $digest =
	136	Digest::MD5::md5_hex( $c->request->body ); # not sure here
	137	$ctx->add( ':', $digest );
	138	}
	139	my $A2_digest = $ctx->hexdigest;
	140
	141	# the idea of the for loop:
	142	# if we do not want to store the plain password in our user store,
	143	# we can store md5_hex("$username:$realm:$password") instead
490754a8	144	my $password_field = $self->_config->{password_field};
d99b7693	145	for my $r ( 0 .. 1 ) {
d99b7693	146	# calculate H(A1) as per spec
490754a8	147	my $A1_digest = $r ? $user->$password_field() : do {
d99b7693	148	$ctx = Digest::MD5->new;
490754a8	149	$ctx->add( join( ':', $username, $realm->name, $user->$password_field() ) );
d99b7693	150	$ctx->hexdigest;
	151	};
	152	if ( $nonce->algorithm eq 'MD5-sess' ) {
	153	$ctx = Digest::MD5->new;
	154	$ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
	155	$A1_digest = $ctx->hexdigest;
	156	}
	157
513d8ab6	158	my $digest_in = join( ':',
d99b7693	159	$A1_digest, $res{nonce},
d99b7693	160	$res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
513d8ab6	161	$A2_digest );
513d8ab6	162	my $rq_digest = Digest::MD5::md5_hex($digest_in);
d99b7693	163	$nonce->nonce_count($nonce_count);
	164	$c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
	165	$nonce );
513d8ab6	166	if ($rq_digest eq $res{response}) {
	167	$c->set_authenticated($user);
	168	return 1;
	169	}
d99b7693	170	}
d99b7693	171	}
513d8ab6	172	return;
d99b7693	173	}
	174
	175	sub _check_cache {
	176	my $c = shift;
	177
	178	die "A cache is needed for http digest authentication."
	179	unless $c->can('cache');
513d8ab6	180	return;
d99b7693	181	}
	182
	183	sub _is_http_auth_type {
513d8ab6	184	my ( $self, $type ) = @_;
513d8ab6	185	my $cfgtype = lc( $self->_config->{'type'} \|\| 'any' );
d99b7693	186	return 1 if $cfgtype eq 'any' \|\| $cfgtype eq lc $type;
	187	return 0;
	188	}
	189
d99b7693	190	sub authorization_required_response {
513d8ab6	191	my ( $self, $c, $realm, $auth_info ) = @_;
d99b7693	192
	193	$c->res->status(401);
	194	$c->res->content_type('text/plain');
513d8ab6	195	if (exists $self->_config->{authorization_required_message}) {
	196	# If you set the key to undef, don't stamp on the body.
	197	$c->res->body($self->_config->{authorization_required_message})
	198	if defined $c->res->body($self->_config->{authorization_required_message});
	199	}
	200	else {
	201	$c->res->body('Authorization required.');
	202	}
d99b7693	203
	204	# DONT short circuit
	205	my $ok;
513d8ab6	206	$ok++ if $self->_create_digest_auth_response($c, $auth_info);
513d8ab6	207	$ok++ if $self->_create_basic_auth_response($c, $auth_info);
d99b7693	208
	209	unless ( $ok ) {
	210	die 'Could not build authorization required response. '
	211	. 'Did you configure a valid authentication http type: '
	212	. 'basic, digest, any';
	213	}
513d8ab6	214	return;
d99b7693	215	}
	216
	217	sub _add_authentication_header {
	218	my ( $c, $header ) = @_;
513d8ab6	219	$c->response->headers->push_header( 'WWW-Authenticate' => $header );
513d8ab6	220	return;
d99b7693	221	}
	222
	223	sub _create_digest_auth_response {
513d8ab6	224	my ( $self, $c, $opts ) = @_;
d99b7693	225
513d8ab6	226	return unless $self->_is_http_auth_type('digest');
d99b7693	227
513d8ab6	228	if ( my $digest = $self->_build_digest_auth_header( $c, $opts ) ) {
513d8ab6	229	_add_authentication_header( $c, $digest );
d99b7693	230	return 1;
	231	}
	232
	233	return;
	234	}
	235
	236	sub _create_basic_auth_response {
513d8ab6	237	my ( $self, $c, $opts ) = @_;
d99b7693	238
513d8ab6	239	return unless $self->_is_http_auth_type('basic');
d99b7693	240
513d8ab6	241	if ( my $basic = $self->_build_basic_auth_header( $c, $opts ) ) {
513d8ab6	242	_add_authentication_header( $c, $basic );
d99b7693	243	return 1;
	244	}
	245
	246	return;
	247	}
	248
	249	sub _build_auth_header_realm {
bf399285	250	my ( $self, $c, $opts ) = @_;
bf399285	251	if ( my $realm_name = String::Escape::qprintable($opts->{realm} ? $opts->{realm} : $self->realm->name) ) {
513d8ab6	252	$realm_name = qq{"$realm_name"} unless $realm_name =~ /^"/;
	253	return 'realm=' . $realm_name;
	254	}
	255	return;
d99b7693	256	}
	257
	258	sub _build_auth_header_domain {
513d8ab6	259	my ( $self, $c, $opts ) = @_;
d99b7693	260	if ( my $domain = $opts->{domain} ) {
	261	Catalyst::Exception->throw("domain must be an array reference")
	262	unless ref($domain) && ref($domain) eq "ARRAY";
	263
	264	my @uris =
513d8ab6	265	$self->_config->{use_uri_for}
d99b7693	266	? ( map { $c->uri_for($_) } @$domain )
	267	: ( map { URI::Escape::uri_escape($_) } @$domain );
	268
	269	return qq{domain="@uris"};
513d8ab6	270	}
513d8ab6	271	return;
d99b7693	272	}
	273
	274	sub _build_auth_header_common {
513d8ab6	275	my ( $self, $c, $opts ) = @_;
d99b7693	276	return (
bf399285	277	$self->_build_auth_header_realm($c, $opts),
513d8ab6	278	$self->_build_auth_header_domain($c, $opts),
d99b7693	279	);
	280	}
	281
	282	sub _build_basic_auth_header {
513d8ab6	283	my ( $self, $c, $opts ) = @_;
513d8ab6	284	return _join_auth_header_parts( Basic => $self->_build_auth_header_common( $c, $opts ) );
d99b7693	285	}
	286
	287	sub _build_digest_auth_header {
513d8ab6	288	my ( $self, $c, $opts ) = @_;
d99b7693	289
513d8ab6	290	my $nonce = $self->_digest_auth_nonce($c, $opts);
d99b7693	291
	292	my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
	293
513d8ab6	294	$self->store_digest_authorization_nonce( $c, $key, $nonce );
a14203f8	295
513d8ab6	296	return _join_auth_header_parts( Digest =>
513d8ab6	297	$self->_build_auth_header_common($c, $opts),
d99b7693	298	map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
	299	qop
	300	nonce
	301	opaque
	302	algorithm
	303	),
	304	);
	305	}
a14203f8	306
d99b7693	307	sub _digest_auth_nonce {
513d8ab6	308	my ( $self, $c, $opts ) = @_;
d99b7693	309
	310	my $package = __PACKAGE__ . '::Nonce';
	311
	312	my $nonce = $package->new;
	313
513d8ab6	314	if ( my $algorithm = $opts->{algorithm} \|\| $self->_config->{algorithm}) {
d99b7693	315	$nonce->algorithm( $algorithm );
	316	}
	317
	318	return $nonce;
	319	}
	320
	321	sub _join_auth_header_parts {
513d8ab6	322	my ( $type, @parts ) = @_;
d99b7693	323	return "$type " . join(", ", @parts );
	324	}
	325
	326	sub get_digest_authorization_nonce {
513d8ab6	327	my ( $self, $c, $key ) = @_;
	328
	329	_check_cache($c);
	330	return $c->cache->get( $key );
d99b7693	331	}
	332
	333	sub store_digest_authorization_nonce {
513d8ab6	334	my ( $self, $c, $key, $nonce ) = @_;
d99b7693	335
513d8ab6	336	_check_cache($c);
513d8ab6	337	return $c->cache->set( $key, $nonce );
d99b7693	338	}
d99b7693	339
513d8ab6	340	package Catalyst::Authentication::Credential::HTTP::Nonce;
d99b7693	341
	342	use strict;
	343	use base qw[ Class::Accessor::Fast ];
	344	use Data::UUID ();
	345
513d8ab6	346	our $VERSION = '0.02';
d99b7693	347
	348	__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);
	349
	350	sub new {
	351	my $class = shift;
	352	my $self = $class->SUPER::new(@_);
	353
	354	$self->nonce( Data::UUID->new->create_b64 );
	355	$self->opaque( Data::UUID->new->create_b64 );
	356	$self->qop('auth,auth-int');
	357	$self->nonce_count('0x0');
	358	$self->algorithm('MD5');
	359
	360	return $self;
	361	}
a14203f8	362
a14203f8	363	1;
a14203f8	364
a14203f8	365	__END__
a14203f8	366
a14203f8	367	=pod
a14203f8	368
a14203f8	369	=head1 NAME
a14203f8	370
513d8ab6	371	Catalyst::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
53306b93	372	for Catalyst.
a14203f8	373
a14203f8	374	=head1 SYNOPSIS
a14203f8	375
a14203f8	376	use Catalyst qw/
a14203f8	377	Authentication
a14203f8	378	/;
a14203f8	379
513d8ab6	380	__PACKAGE__->config( authentication => {
	381	realms => {
	382	example => {
	383	credential => {
	384	class => 'HTTP',
	385	type => 'any', # or 'digest' or 'basic'
490754a8	386	password_type => 'clear',
490754a8	387	password_field => 'password'
513d8ab6	388	},
	389	store => {
	390	class => 'Minimal',
	391	users => {
	392	Mufasa => { password => "Circle Of Life", },
	393	},
	394	},
	395	},
	396	}
	397	});
d99b7693	398
	399	sub foo : Local {
	400	my ( $self, $c ) = @_;
	401
513d8ab6	402	$c->authenticate({ realm => "example" });
d99b7693	403	# either user gets authenticated or 401 is sent
bf399285	404	# Note that the authentication realm sent to the client is overridden
	405	# here, but this does not affect the Catalyst::Authentication::Realm
	406	# used for authentication.
d99b7693	407
	408	do_stuff();
	409	}
031f556c	410
	411	sub always_auth : Local {
	412	my ( $self, $c ) = @_;
	413
	414	# Force authorization headers onto the response so that the user
	415	# is asked again for authentication, even if they successfully
	416	# authenticated.
	417	my $realm = $c->get_auth_realm('example');
	418	$realm->credential->authorization_required_response($c, $realm);
	419	}
d99b7693	420
d99b7693	421	# with ACL plugin
513d8ab6	422	__PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate });
d99b7693	423
a14203f8	424	=head1 DESCRIPTION
a14203f8	425
513d8ab6	426	This module lets you use HTTP authentication with
d99b7693	427	L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
	428	are currently supported.
	429
	430	When authentication is required, this module sets a status of 401, and
	431	the body of the response to 'Authorization required.'. To override
	432	this and set your own content, check for the C<< $c->res->status ==
	433	401 >> in your C<end> action, and change the body accordingly.
	434
	435	=head2 TERMS
	436
	437	=over 4
	438
	439	=item Nonce
	440
	441	A nonce is a one-time value sent with each digest authentication
	442	request header. The value must always be unique, so per default the
	443	last value of the nonce is kept using L<Catalyst::Plugin::Cache>. To
	444	change this behaviour, override the
	445	C<store_digest_authorization_nonce> and
	446	C<get_digest_authorization_nonce> methods as shown below.
	447
	448	=back
	449
	450	=head1 METHODS
	451
	452	=over 4
	453
513d8ab6	454	=item new $config, $c, $realm
d99b7693	455
513d8ab6	456	Simple constructor.
d99b7693	457
513d8ab6	458	=item authenticate $c, $realm, \%auth_info
d99b7693	459
513d8ab6	460	Tries to authenticate the user, and if that fails calls
513d8ab6	461	C<authorization_required_response> and detaches the current action call stack.
d99b7693	462
	463	Looks inside C<< $c->request->headers >> and processes the digest and basic
	464	(badly named) authorization header.
	465
	466	This will only try the methods set in the configuration. First digest, then basic.
	467
bf399285	468	The %auth_info hash can contain a number of keys which control the authentication behaviour:
	469
	470	=over
	471
	472	=item realm
	473
	474	Sets the HTTP authentication realm presented to the client. Note this does not alter the
	475	Catalyst::Authentication::Realm object used for the authentication.
	476
05512a69	477	=item domain
bf399285	478
05512a69	479	Array reference to domains used to build the authorization headers.
bf399285	480
ea92acf7	481	This list of domains defines the protection space. If a domain URI is an
	482	absolute path (starts with /), it is relative to the root URL of the server being accessed.
	483	An absolute URI in this list may refer to a different server than the one being accessed.
	484
	485	The client will use this list to determine the set of URIs for which the same authentication
	486	information may be sent.
	487
	488	If this is omitted or its value is empty, the client will assume that the
	489	protection space consists of all URIs on the responding server.
	490
	491	Therefore, if your application is not hosted at the root of this domain, and you want to
	492	prevent the authentication credentials for this application being sent to any other applications.
	493	then you should use the I<use_uri_for> configuration option, and pass a domain of I</>.
	494
bf399285	495	=back
d99b7693	496
513d8ab6	497	=item authenticate_basic $c, $realm, \%auth_info
d99b7693	498
bf399285	499	Performs HTTP basic authentication.
490754a8	500
513d8ab6	501	=item authenticate_digest $c, $realm, \%auth_info
d99b7693	502
bf399285	503	Performs HTTP digest authentication. Note that the password_type B<must> by I<clear> for
c5a1fa88	504	digest authentication to succeed, and you must have L<Catalyst::Plugin::Session> in
	505	your application as digest authentication needs to store persistent data.
	506
	507	Note - if you do not want to store your user passwords as clear text, then it is possible
	508	to store instead the MD5 digest in hex of the string '$username:$realm:$password'
d99b7693	509
ea92acf7	510	Takes an additional parameter of I<algorithm>, the possible values of which are 'MD5' (the default)
	511	and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617.
	512
513d8ab6	513	=item authorization_required_response $c, $realm, \%auth_info
d99b7693	514
	515	Sets C<< $c->response >> to the correct status code, and adds the correct
	516	header to demand authentication data from the user agent.
	517
513d8ab6	518	Typically used by C<authenticate>, but may be invoked manually.
d99b7693	519
513d8ab6	520	%opts can contain C<domain> and C<algorithm>, which are used to build
d99b7693	521	%the digest header.
d99b7693	522
513d8ab6	523	=item store_digest_authorization_nonce $c, $key, $nonce
d99b7693	524
513d8ab6	525	=item get_digest_authorization_nonce $c, $key
d99b7693	526
	527	Set or get the C<$nonce> object used by the digest auth mode.
	528
	529	You may override these methods. By default they will call C<get> and C<set> on
	530	C<< $c->cache >>.
	531
d99b7693	532	=back
	533
	534	=head1 CONFIGURATION
	535
513d8ab6	536	All configuration is stored in C<< YourApp->config(authentication => { yourrealm => { credential => { class => 'HTTP', %config } } } >>.
d99b7693	537
	538	This should be a hash, and it can contain the following entries:
	539
05512a69	540	=over
d99b7693	541
d99b7693	542	=item type
	543
	544	Can be either C<any> (the default), C<basic> or C<digest>.
	545
513d8ab6	546	This controls C<authorization_required_response> and C<authenticate>, but
d99b7693	547	not the "manual" methods.
	548
	549	=item authorization_required_message
	550
513d8ab6	551	Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated.
d99b7693	552
05512a69	553	=item password_type
05512a69	554
f1f73b53	555	The type of password returned by the user object. Same usage as in
05512a69	556	L<Catalyst::Authentication::Credential::Password\|Catalyst::Authentication::Credential::Password/passwprd_type>
	557
	558	=item password_field
	559
f1f73b53	560	The name of accessor used to retrieve the value of the password field from the user object. Same usage as in
05512a69	561	L<Catalyst::Authentication::Credential::Password\|Catalyst::Authentication::Credential::Password/password_field>
	562
	563	=item use_uri_for
	564
	565	If this configuration key has a true value, then the domain(s) for the authorization header will be
ea92acf7	566	run through $c->uri_for(). Use this configuration option if your application is not running at the root
	567	of your domain, and you want to ensure that authentication credentials from your application are not shared with
	568	other applications on the same server.
05512a69	569
d99b7693	570	=back
	571
	572	=head1 RESTRICTIONS
	573
	574	When using digest authentication, this module will only work together
	575	with authentication stores whose User objects have a C<password>
	576	method that returns the plain-text password. It will not work together
	577	with L<Catalyst::Authentication::Store::Htpasswd>, or
513d8ab6	578	L<Catalyst::Authentication::Store::DBIC> stores whose
d99b7693	579	C<password> methods return a hashed or salted version of the password.
c7b3e379	580
a14203f8	581	=head1 AUTHORS
a14203f8	582
513d8ab6	583	Updated to current name space and currently maintained
	584	by: Tomas Doran C<bobtfish@bobtfish.net>.
	585
	586	Original module by:
	587
	588	=over
a14203f8	589
513d8ab6	590	=item Yuval Kogman, C<nothingmuch@woobling.org>
a14203f8	591
513d8ab6	592	=item Jess Robinson
	593
	594	=item Sascha Kiefer C<esskar@cpan.org>
	595
	596	=back
a14203f8	597
c7b3e379	598	=head1 SEE ALSO
c7b3e379	599
d99b7693	600	RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>
c7b3e379	601
a14203f8	602	=head1 COPYRIGHT & LICENSE
a14203f8	603
513d8ab6	604	Copyright (c) 2005-2008 the aforementioned authors. All rights
a14203f8	605	reserved. This program is free software; you can redistribute
a14203f8	606	it and/or modify it under the same terms as Perl itself.
a14203f8	607
a14203f8	608	=cut
513d8ab6	609