[catagits/Catalyst-Authentication-Credential-HTTP.git] / lib / Catalyst / Plugin / Authentication / Credential / HTTP.pm

#!/usr/bin/perl

package Catalyst::Plugin::Authentication::Credential::HTTP;
use base qw/Catalyst::Plugin::Authentication::Credential::Password/;

use strict;
use warnings;

use String::Escape ();
use URI::Escape    ();
use Catalyst       ();
use Digest::MD5    ();

our $VERSION = "0.07";

sub authenticate_http {
    my ( $c, @args ) = @_;

    return 1 if $c->_is_http_auth_type('digest') && $c->authenticate_digest(@args);
    return 1 if $c->_is_http_auth_type('basic')  && $c->authenticate_basic(@args);
}

sub get_http_auth_store {
    my ( $c, %opts ) = @_;

    my $store = $opts{store} || $c->config->{authentication}{http}{store} || return;

    return ref $store
        ? $store
        : $c->get_auth_store($store);
}

sub authenticate_basic {
    my ( $c, %opts ) = @_;

    $c->log->debug('Checking http basic authentication.') if $c->debug;

    my $headers = $c->req->headers;

    if ( my ( $username, $password ) = $headers->authorization_basic ) {

        my $user;

        unless ( $user = $opts{user} ) {
            if ( my $store = $c->get_http_auth_store(%opts) ) {
                $user = $store->get_user($username);
            } else {
                $user = $username;
            }
        }

        return $c->login( $user, $password );
    }

    return 0;
}

sub authenticate_digest {
    my ( $c, %opts ) = @_;

    $c->log->debug('Checking http digest authentication.') if $c->debug;

    my $headers       = $c->req->headers;
    my @authorization = $headers->header('Authorization');
    foreach my $authorization (@authorization) {
        next unless $authorization =~ m{^Digest};

        my %res = map {
            my @key_val = split /=/, $_, 2;
            $key_val[0] = lc $key_val[0];
            $key_val[1] =~ s{"}{}g;    # remove the quotes
            @key_val;
        } split /,\s?/, substr( $authorization, 7 );    #7 == length "Digest "

        my $opaque = $res{opaque};
        my $nonce  = $c->get_digest_authorization_nonce( __PACKAGE__ . '::opaque:' . $opaque );
        next unless $nonce;

        $c->log->debug('Checking authentication parameters.')
          if $c->debug;

        my $uri         = '/' . $c->request->path;
        my $algorithm   = $res{algorithm} || 'MD5';
        my $nonce_count = '0x' . $res{nc};

        my $check = $uri eq $res{uri}
          && ( exists $res{username} )
          && ( exists $res{qop} )
          && ( exists $res{cnonce} )
          && ( exists $res{nc} )
          && $algorithm eq $nonce->algorithm
          && hex($nonce_count) > hex( $nonce->nonce_count )
          && $res{nonce} eq $nonce->nonce;    # TODO: set Stale instead

        unless ($check) {
            $c->log->debug('Digest authentication failed. Bad request.')
              if $c->debug;
            $c->res->status(400);             # bad request
            die $Catalyst::DETACH;
        }

        $c->log->debug('Checking authentication response.')
          if $c->debug;

        my $username = $res{username};
        my $realm    = $res{realm};

        my $user;

        unless ( $user = $opts{user} ) {
            if ( my $store = $c->get_http_auth_store(%opts) || $c->default_auth_store ) {
                $user = $store->get_user($username);
            }
        }

        unless ($user) {    # no user, no authentication
            $c->log->debug('Unknown user: $user.') if $c->debug;
            return 0;
        }

        # everything looks good, let's check the response

        # calculate H(A2) as per spec
        my $ctx = Digest::MD5->new;
        $ctx->add( join( ':', $c->request->method, $res{uri} ) );
        if ( $res{qop} eq 'auth-int' ) {
            my $digest =
              Digest::MD5::md5_hex( $c->request->body );    # not sure here
            $ctx->add( ':', $digest );
        }
        my $A2_digest = $ctx->hexdigest;

        # the idea of the for loop:
        # if we do not want to store the plain password in our user store,
        # we can store md5_hex("$username:$realm:$password") instead
        for my $r ( 0 .. 1 ) {

            # calculate H(A1) as per spec
            my $A1_digest = $r ? $user->password : do {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $username, $realm, $user->password ) );
                $ctx->hexdigest;
            };
            if ( $nonce->algorithm eq 'MD5-sess' ) {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
                $A1_digest = $ctx->hexdigest;
            }

            my $rq_digest = Digest::MD5::md5_hex(
                join( ':',
                    $A1_digest, $res{nonce},
                    $res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
                    $A2_digest )
            );

            $nonce->nonce_count($nonce_count);
            $c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
                $nonce );

            return $c->login( $user, $user->password )
              if $rq_digest eq $res{response};
        }
    }

    return 0;
}

sub _check_cache {
    my $c = shift;

    die "A cache is needed for http digest authentication."
      unless $c->can('cache');
}

sub _is_http_auth_type {
    my ( $c, $type ) = @_;

    my $cfgtype = lc( $c->config->{authentication}{http}{type} || 'any' );
    return 1 if $cfgtype eq 'any' || $cfgtype eq lc $type;
    return 0;
}

sub authorization_required {
    my ( $c, @args ) = @_;

    return 1 if $c->authenticate_http(@args);
    
    $c->authorization_required_response(@args);

    die $Catalyst::DETACH;
}

sub authorization_required_response {
    my ( $c, %opts ) = @_;

    $c->res->status(401);

    # *DONT* short circuit
    my $ok;
    $ok++ if $c->_create_digest_auth_response(\%opts);
    $ok++ if $c->_create_basic_auth_response(\%opts);

    unless ( $ok ) {
        die 'Could not build authorization required response. '
        . 'Did you configure a valid authentication http type: '
        . 'basic, digest, any';
    }
}

sub _add_authentication_header {
    my ( $c, $header ) = @_;
    $c->res->headers->push_header( 'WWW-Authenticate' => $header );
}

sub _create_digest_auth_response {
    my ( $c, $opts ) = @_;
      
    return unless $c->_is_http_auth_type('digest');
    
    if ( my $digest = $c->_build_digest_auth_header( $opts ) ) {
        $c->_add_authentication_header( $digest );
        return 1;
    }

    return;
}

sub _create_basic_auth_response {
    my ( $c, $opts ) = @_;
    
    return unless $c->_is_http_auth_type('basic');

    if ( my $basic = $c->_build_basic_auth_header( $opts ) ) {
        $c->_add_authentication_header( $basic );
        return 1;
    }

    return;
}

sub _build_auth_header_realm {
    my ( $c, $opts ) = @_;    

    if ( my $realm = $opts->{realm} ) {
        return 'realm=' . String::Escape::qprintable($realm);
    } else {
        return;
    }
}

sub _build_auth_header_domain {
    my ( $c, $opts ) = @_;

    if ( my $domain = $opts->{domain} ) {
        Catalyst::Exception->throw("domain must be an array reference")
          unless ref($domain) && ref($domain) eq "ARRAY";

        my @uris =
          $c->config->{authentication}{http}{use_uri_for}
          ? ( map { $c->uri_for($_) } @$domain )
          : ( map { URI::Escape::uri_escape($_) } @$domain );

        return qq{domain="@uris"};
    } else {
        return;
    }
}

sub _build_auth_header_common {
    my ( $c, $opts ) = @_;

    return (
        $c->_build_auth_header_realm($opts),
        $c->_build_auth_header_domain($opts),
    );
}

sub _build_basic_auth_header {
    my ( $c, $opts ) = @_;
    return $c->_join_auth_header_parts( Basic => $c->_build_auth_header_common( $opts ) );
}

sub _build_digest_auth_header {
    my ( $c, $opts ) = @_;

    my $nonce = $c->_digest_auth_nonce($opts);

    my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
   
    $c->store_digest_authorization_nonce( $key, $nonce );

    return $c->_join_auth_header_parts( Digest =>
        $c->_build_auth_header_common($opts),
        map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
            qop
            nonce
            opaque
            algorithm
        ),
    );
}

sub _digest_auth_nonce {
    my ( $c, $opts ) = @_;

    my $package = __PACKAGE__ . '::Nonce';

    my $nonce   = $package->new;

    if ( my $algorithm = $opts->{algorithm} || $c->config->{authentication}{http}{algorithm}) { 
        $nonce->algorithm( $algorithm );
    }

    return $nonce;
}

sub _join_auth_header_parts {
    my ( $c, $type, @parts ) = @_;
    return "$type " . join(", ", @parts );
}

sub get_digest_authorization_nonce {
    my ( $c, $key ) = @_;

    $c->_check_cache;
    $c->cache->get( $key );
}

sub store_digest_authorization_nonce {
    my ( $c, $key, $nonce ) = @_;

    $c->_check_cache;
    $c->cache->set( $key, $nonce );
}

package Catalyst::Plugin::Authentication::Credential::HTTP::Nonce;

use strict;
use base qw[ Class::Accessor::Fast ];
use Data::UUID ();

our $VERSION = "0.01";

__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);

sub new {
    my $class = shift;
    my $self  = $class->SUPER::new(@_);

    $self->nonce( Data::UUID->new->create_b64 );
    $self->opaque( Data::UUID->new->create_b64 );
    $self->qop('auth,auth-int');
    $self->nonce_count('0x0');
    $self->algorithm('MD5');

    return $self;
}

1;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
for Catalyst.

=head1 SYNOPSIS

    use Catalyst qw/
        Authentication
        Authentication::Store::Moose
        Authentication::Credential::HTTP
    /;

    __PACKAGE__->config->{authentication}{http}{type} = 'any'; # or 'digest' or 'basic'
    __PACKAGE__->config->{authentication}{users} = {
        Mufasa => { password => "Circle Of Life", },
    };

    sub foo : Local {
        my ( $self, $c ) = @_;

        $c->authorization_required( realm => "foo" ); # named after the status code ;-)

        # either user gets authenticated or 401 is sent

        do_stuff();
    }

    # with ACL plugin
    __PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate_http });

    sub end : Private {
        my ( $self, $c ) = @_;

        $c->authorization_required_response( realm => "foo" );
        $c->error(0);
    }

=head1 DESCRIPTION

This moduule lets you use HTTP authentication with
L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
are currently supported.

=head1 METHODS

=over 4

=item authorization_required %opts

Tries to C<authenticate_http>, and if that fails calls
C<authorization_required_response> and detaches the current action call stack.

This method just passes the options through untouched.

=item authenticate_http %opts

Looks inside C<< $c->request->headers >> and processes the digest and basic
(badly named) authorization header.

This will only try the methods set in the configuration.

See the next two methods for what %opts can contain.

=item authenticate_basic %opts

=item authenticate_digest %opts

Try to authenticate one of the methods without checking if the method is
allowed in the configuration.

%opts can contain C<store> (either an object or a name), C<user> (to disregard
%the username from the header altogether, overriding it with a username or user
%object).

=item authorization_required_response %opts

Sets C<< $c->response >> to the correct status code, and adds the correct
header to demand authentication data from the user agent.

Typically used by C<authorization_required>, but may be invoked manually.

%opts can contain C<realm>, C<domain> and C<algorithm>, which are used to build
%the digest header.

=item store_digest_authorization_nonce $key, $nonce

=item get_digest_authorization_nonce $key

Set or get the C<$nonce> object used by the digest auth mode.

You may override these methods. By default they will call C<get> and C<set> on
C<< $c->cache >>.

=back

=head1 CONFIGURATION

All configuration is stored in C<< YourApp->config->{authentication}{http} >>.

This should be a hash, and it can contain the following entries:

=over 4

=item store

Either a name or an object -- the default store to use for HTTP authentication.

=item type

Can be either C<any> (the default), C<basic> or C<digest>.

This controls C<authorization_required_response> and C<authenticate_http>, but
not the "manual" methods.

=back

=head1 AUTHORS

Yuval Kogman, C<nothingmuch@woobling.org>

Jess Robinson

Sascha Kiefer C<esskar@cpan.org>

=head1 COPYRIGHT & LICENSE

        Copyright (c) 2005-2006 the aforementioned authors. All rights
        reserved. This program is free software; you can redistribute
        it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
a14203f8	1	#!/usr/bin/perl
a14203f8	2
a14203f8	3	package Catalyst::Plugin::Authentication::Credential::HTTP;
a14203f8	4	use base qw/Catalyst::Plugin::Authentication::Credential::Password/;
a14203f8	5
a14203f8	6	use strict;
a14203f8	7	use warnings;
a14203f8	8
a14203f8	9	use String::Escape ();
a14203f8	10	use URI::Escape ();
a14203f8	11	use Catalyst ();
a14203f8	12	use Digest::MD5 ();
a14203f8	13
e9684b75	14	our $VERSION = "0.07";
a14203f8	15
a14203f8	16	sub authenticate_http {
ac92fd52	17	my ( $c, @args ) = @_;
a14203f8	18
ac92fd52	19	return 1 if $c->_is_http_auth_type('digest') && $c->authenticate_digest(@args);
ac92fd52	20	return 1 if $c->_is_http_auth_type('basic') && $c->authenticate_basic(@args);
a14203f8	21	}
a14203f8	22
ac92fd52	23	sub get_http_auth_store {
ac92fd52	24	my ( $c, %opts ) = @_;
371a8cc8	25
	26	my $store = $opts{store} \|\| $c->config->{authentication}{http}{store} \|\| return;
	27
	28	return ref $store
	29	? $store
	30	: $c->get_auth_store($store);
ac92fd52	31	}
a14203f8	32
a14203f8	33	sub authenticate_basic {
ac92fd52	34	my ( $c, %opts ) = @_;
a14203f8	35
	36	$c->log->debug('Checking http basic authentication.') if $c->debug;
	37
a14203f8	38	my $headers = $c->req->headers;
a14203f8	39
ac92fd52	40	if ( my ( $username, $password ) = $headers->authorization_basic ) {
a14203f8	41
ac92fd52	42	my $user;
a14203f8	43
ac92fd52	44	unless ( $user = $opts{user} ) {
	45	if ( my $store = $c->get_http_auth_store(%opts) ) {
	46	$user = $store->get_user($username);
	47	} else {
	48	$user = $username;
	49	}
a14203f8	50	}
a14203f8	51
a14203f8	52	return $c->login( $user, $password );
a14203f8	53	}
a14203f8	54
a14203f8	55	return 0;
a14203f8	56	}
a14203f8	57
a14203f8	58	sub authenticate_digest {
ac92fd52	59	my ( $c, %opts ) = @_;
a14203f8	60
	61	$c->log->debug('Checking http digest authentication.') if $c->debug;
	62
a14203f8	63	my $headers = $c->req->headers;
a14203f8	64	my @authorization = $headers->header('Authorization');
a14203f8	65	foreach my $authorization (@authorization) {
a14203f8	66	next unless $authorization =~ m{^Digest};
a14203f8	67
a14203f8	68	my %res = map {
a14203f8	69	my @key_val = split /=/, $_, 2;
a14203f8	70	$key_val[0] = lc $key_val[0];
a14203f8	71	$key_val[1] =~ s{"}{}g; # remove the quotes
a14203f8	72	@key_val;
a14203f8	73	} split /,\s?/, substr( $authorization, 7 ); #7 == length "Digest "
a14203f8	74
a14203f8	75	my $opaque = $res{opaque};
371a8cc8	76	my $nonce = $c->get_digest_authorization_nonce( __PACKAGE__ . '::opaque:' . $opaque );
a14203f8	77	next unless $nonce;
a14203f8	78
a14203f8	79	$c->log->debug('Checking authentication parameters.')
a14203f8	80	if $c->debug;
a14203f8	81
a14203f8	82	my $uri = '/' . $c->request->path;
a14203f8	83	my $algorithm = $res{algorithm} \|\| 'MD5';
a14203f8	84	my $nonce_count = '0x' . $res{nc};
a14203f8	85
a14203f8	86	my $check = $uri eq $res{uri}
a14203f8	87	&& ( exists $res{username} )
a14203f8	88	&& ( exists $res{qop} )
a14203f8	89	&& ( exists $res{cnonce} )
a14203f8	90	&& ( exists $res{nc} )
a14203f8	91	&& $algorithm eq $nonce->algorithm
a14203f8	92	&& hex($nonce_count) > hex( $nonce->nonce_count )
a14203f8	93	&& $res{nonce} eq $nonce->nonce; # TODO: set Stale instead
a14203f8	94
a14203f8	95	unless ($check) {
a14203f8	96	$c->log->debug('Digest authentication failed. Bad request.')
a14203f8	97	if $c->debug;
a14203f8	98	$c->res->status(400); # bad request
a14203f8	99	die $Catalyst::DETACH;
a14203f8	100	}
a14203f8	101
a14203f8	102	$c->log->debug('Checking authentication response.')
a14203f8	103	if $c->debug;
a14203f8	104
a14203f8	105	my $username = $res{username};
a14203f8	106	my $realm = $res{realm};
a14203f8	107
a14203f8	108	my $user;
a14203f8	109
371a8cc8	110	unless ( $user = $opts{user} ) {
	111	if ( my $store = $c->get_http_auth_store(%opts) \|\| $c->default_auth_store ) {
	112	$user = $store->get_user($username);
	113	}
	114	}
a14203f8	115
a14203f8	116	unless ($user) { # no user, no authentication
a14203f8	117	$c->log->debug('Unknown user: $user.') if $c->debug;
a14203f8	118	return 0;
a14203f8	119	}
a14203f8	120
a14203f8	121	# everything looks good, let's check the response
a14203f8	122
a14203f8	123	# calculate H(A2) as per spec
a14203f8	124	my $ctx = Digest::MD5->new;
a14203f8	125	$ctx->add( join( ':', $c->request->method, $res{uri} ) );
a14203f8	126	if ( $res{qop} eq 'auth-int' ) {
a14203f8	127	my $digest =
a14203f8	128	Digest::MD5::md5_hex( $c->request->body ); # not sure here
a14203f8	129	$ctx->add( ':', $digest );
a14203f8	130	}
a14203f8	131	my $A2_digest = $ctx->hexdigest;
a14203f8	132
a14203f8	133	# the idea of the for loop:
a14203f8	134	# if we do not want to store the plain password in our user store,
a14203f8	135	# we can store md5_hex("$username:$realm:$password") instead
a14203f8	136	for my $r ( 0 .. 1 ) {
a14203f8	137
a14203f8	138	# calculate H(A1) as per spec
a14203f8	139	my $A1_digest = $r ? $user->password : do {
a14203f8	140	$ctx = Digest::MD5->new;
a14203f8	141	$ctx->add( join( ':', $username, $realm, $user->password ) );
a14203f8	142	$ctx->hexdigest;
a14203f8	143	};
a14203f8	144	if ( $nonce->algorithm eq 'MD5-sess' ) {
a14203f8	145	$ctx = Digest::MD5->new;
a14203f8	146	$ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
a14203f8	147	$A1_digest = $ctx->hexdigest;
a14203f8	148	}
a14203f8	149
a14203f8	150	my $rq_digest = Digest::MD5::md5_hex(
a14203f8	151	join( ':',
a14203f8	152	$A1_digest, $res{nonce},
a14203f8	153	$res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
a14203f8	154	$A2_digest )
a14203f8	155	);
a14203f8	156
a14203f8	157	$nonce->nonce_count($nonce_count);
a14203f8	158	$c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
a14203f8	159	$nonce );
a14203f8	160
a14203f8	161	return $c->login( $user, $user->password )
a14203f8	162	if $rq_digest eq $res{response};
a14203f8	163	}
a14203f8	164	}
a14203f8	165
a14203f8	166	return 0;
a14203f8	167	}
a14203f8	168
a14203f8	169	sub _check_cache {
a14203f8	170	my $c = shift;
a14203f8	171
a14203f8	172	die "A cache is needed for http digest authentication."
a14203f8	173	unless $c->can('cache');
a14203f8	174	}
a14203f8	175
ac92fd52	176	sub _is_http_auth_type {
a14203f8	177	my ( $c, $type ) = @_;
a14203f8	178
a14203f8	179	my $cfgtype = lc( $c->config->{authentication}{http}{type} \|\| 'any' );
a14203f8	180	return 1 if $cfgtype eq 'any' \|\| $cfgtype eq lc $type;
a14203f8	181	return 0;
a14203f8	182	}
a14203f8	183
a14203f8	184	sub authorization_required {
ac92fd52	185	my ( $c, @args ) = @_;
a14203f8	186
ac92fd52	187	return 1 if $c->authenticate_http(@args);
	188
	189	$c->authorization_required_response(@args);
a14203f8	190
a14203f8	191	die $Catalyst::DETACH;
a14203f8	192	}
a14203f8	193
a14203f8	194	sub authorization_required_response {
a14203f8	195	my ( $c, %opts ) = @_;
a14203f8	196
a14203f8	197	$c->res->status(401);
a14203f8	198
ac92fd52	199	# DONT short circuit
	200	my $ok;
	201	$ok++ if $c->_create_digest_auth_response(\%opts);
	202	$ok++ if $c->_create_basic_auth_response(\%opts);
a14203f8	203
ac92fd52	204	unless ( $ok ) {
	205	die 'Could not build authorization required response. '
	206	. 'Did you configure a valid authentication http type: '
	207	. 'basic, digest, any';
	208	}
a14203f8	209	}
a14203f8	210
ac92fd52	211	sub _add_authentication_header {
	212	my ( $c, $header ) = @_;
	213	$c->res->headers->push_header( 'WWW-Authenticate' => $header );
	214	}
a14203f8	215
ac92fd52	216	sub _create_digest_auth_response {
	217	my ( $c, $opts ) = @_;
	218
	219	return unless $c->_is_http_auth_type('digest');
	220
	221	if ( my $digest = $c->_build_digest_auth_header( $opts ) ) {
	222	$c->_add_authentication_header( $digest );
	223	return 1;
	224	}
a14203f8	225
ac92fd52	226	return;
ac92fd52	227	}
a14203f8	228
ac92fd52	229	sub _create_basic_auth_response {
	230	my ( $c, $opts ) = @_;
	231
	232	return unless $c->_is_http_auth_type('basic');
a14203f8	233
ac92fd52	234	if ( my $basic = $c->_build_basic_auth_header( $opts ) ) {
	235	$c->_add_authentication_header( $basic );
	236	return 1;
	237	}
a14203f8	238
ac92fd52	239	return;
ac92fd52	240	}
a14203f8	241
ac92fd52	242	sub _build_auth_header_realm {
ac92fd52	243	my ( $c, $opts ) = @_;
a14203f8	244
a14203f8	245	if ( my $realm = $opts->{realm} ) {
ac92fd52	246	return 'realm=' . String::Escape::qprintable($realm);
	247	} else {
	248	return;
a14203f8	249	}
ac92fd52	250	}
a14203f8	251
ac92fd52	252	sub _build_auth_header_domain {
ac92fd52	253	my ( $c, $opts ) = @_;
a14203f8	254
a14203f8	255	if ( my $domain = $opts->{domain} ) {
18eacbdd	256	Catalyst::Exception->throw("domain must be an array reference")
a14203f8	257	unless ref($domain) && ref($domain) eq "ARRAY";
a14203f8	258
a14203f8	259	my @uris =
a14203f8	260	$c->config->{authentication}{http}{use_uri_for}
a14203f8	261	? ( map { $c->uri_for($_) } @$domain )
a14203f8	262	: ( map { URI::Escape::uri_escape($_) } @$domain );
a14203f8	263
ac92fd52	264	return qq{domain="@uris"};
	265	} else {
	266	return;
a14203f8	267	}
ac92fd52	268	}
a14203f8	269
ac92fd52	270	sub _build_auth_header_common {
ac92fd52	271	my ( $c, $opts ) = @_;
a14203f8	272
ac92fd52	273	return (
	274	$c->_build_auth_header_realm($opts),
	275	$c->_build_auth_header_domain($opts),
	276	);
	277	}
a14203f8	278
ac92fd52	279	sub _build_basic_auth_header {
ac92fd52	280	my ( $c, $opts ) = @_;
18eacbdd	281	return $c->_join_auth_header_parts( Basic => $c->_build_auth_header_common( $opts ) );
ac92fd52	282	}
a14203f8	283
ac92fd52	284	sub _build_digest_auth_header {
ac92fd52	285	my ( $c, $opts ) = @_;
a14203f8	286
ac92fd52	287	my $nonce = $c->_digest_auth_nonce($opts);
a14203f8	288
ac92fd52	289	my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
ac92fd52	290
371a8cc8	291	$c->store_digest_authorization_nonce( $key, $nonce );
a14203f8	292
ac92fd52	293	return $c->_join_auth_header_parts( Digest =>
	294	$c->_build_auth_header_common($opts),
	295	map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
	296	qop
	297	nonce
	298	opaque
	299	algorithm
	300	),
	301	);
	302	}
a14203f8	303
ac92fd52	304	sub _digest_auth_nonce {
ac92fd52	305	my ( $c, $opts ) = @_;
a14203f8	306
ac92fd52	307	my $package = __PACKAGE__ . '::Nonce';
a14203f8	308
ac92fd52	309	my $nonce = $package->new;
a14203f8	310
371a8cc8	311	if ( my $algorithm = $opts->{algorithm} \|\| $c->config->{authentication}{http}{algorithm}) {
	312	$nonce->algorithm( $algorithm );
	313	}
a14203f8	314
ac92fd52	315	return $nonce;
ac92fd52	316	}
a14203f8	317
ac92fd52	318	sub _join_auth_header_parts {
	319	my ( $c, $type, @parts ) = @_;
	320	return "$type " . join(", ", @parts );
	321	}
a14203f8	322
371a8cc8	323	sub get_digest_authorization_nonce {
ac92fd52	324	my ( $c, $key ) = @_;
a14203f8	325
ac92fd52	326	$c->_check_cache;
ac92fd52	327	$c->cache->get( $key );
a14203f8	328	}
a14203f8	329
371a8cc8	330	sub store_digest_authorization_nonce {
ac92fd52	331	my ( $c, $key, $nonce ) = @_;
a14203f8	332
ac92fd52	333	$c->_check_cache;
	334	$c->cache->set( $key, $nonce );
	335	}
a14203f8	336
	337	package Catalyst::Plugin::Authentication::Credential::HTTP::Nonce;
	338
a14203f8	339	use strict;
a14203f8	340	use base qw[ Class::Accessor::Fast ];
a14203f8	341	use Data::UUID ();
a14203f8	342
a14203f8	343	our $VERSION = "0.01";
a14203f8	344
a14203f8	345	__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);
a14203f8	346
a14203f8	347	sub new {
a14203f8	348	my $class = shift;
a14203f8	349	my $self = $class->SUPER::new(@_);
a14203f8	350
a14203f8	351	$self->nonce( Data::UUID->new->create_b64 );
a14203f8	352	$self->opaque( Data::UUID->new->create_b64 );
a14203f8	353	$self->qop('auth,auth-int');
a14203f8	354	$self->nonce_count('0x0');
a14203f8	355	$self->algorithm('MD5');
a14203f8	356
a14203f8	357	return $self;
a14203f8	358	}
a14203f8	359
a14203f8	360	1;
a14203f8	361
a14203f8	362	__END__
a14203f8	363
a14203f8	364	=pod
a14203f8	365
a14203f8	366	=head1 NAME
a14203f8	367
a14203f8	368	Catalyst::Plugin::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
53306b93	369	for Catalyst.
a14203f8	370
a14203f8	371	=head1 SYNOPSIS
a14203f8	372
a14203f8	373	use Catalyst qw/
a14203f8	374	Authentication
a14203f8	375	Authentication::Store::Moose
a14203f8	376	Authentication::Credential::HTTP
a14203f8	377	/;
a14203f8	378
3bb378d2	379	__PACKAGE__->config->{authentication}{http}{type} = 'any'; # or 'digest' or 'basic'
	380	__PACKAGE__->config->{authentication}{users} = {
	381	Mufasa => { password => "Circle Of Life", },
a14203f8	382	};
a14203f8	383
a14203f8	384	sub foo : Local {
a14203f8	385	my ( $self, $c ) = @_;
a14203f8	386
a14203f8	387	$c->authorization_required( realm => "foo" ); # named after the status code ;-)
a14203f8	388
a14203f8	389	# either user gets authenticated or 401 is sent
a14203f8	390
a14203f8	391	do_stuff();
a14203f8	392	}
a14203f8	393
a14203f8	394	# with ACL plugin
a14203f8	395	__PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate_http });
a14203f8	396
a14203f8	397	sub end : Private {
a14203f8	398	my ( $self, $c ) = @_;
a14203f8	399
a14203f8	400	$c->authorization_required_response( realm => "foo" );
a14203f8	401	$c->error(0);
a14203f8	402	}
a14203f8	403
a14203f8	404	=head1 DESCRIPTION
a14203f8	405
a14203f8	406	This moduule lets you use HTTP authentication with
a14203f8	407	L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
a14203f8	408	are currently supported.
a14203f8	409
a14203f8	410	=head1 METHODS
a14203f8	411
a14203f8	412	=over 4
a14203f8	413
371a8cc8	414	=item authorization_required %opts
a14203f8	415
a14203f8	416	Tries to C<authenticate_http>, and if that fails calls
a14203f8	417	C<authorization_required_response> and detaches the current action call stack.
a14203f8	418
371a8cc8	419	This method just passes the options through untouched.
	420
	421	=item authenticate_http %opts
a14203f8	422
a14203f8	423	Looks inside C<< $c->request->headers >> and processes the digest and basic
a14203f8	424	(badly named) authorization header.
a14203f8	425
371a8cc8	426	This will only try the methods set in the configuration.
	427
	428	See the next two methods for what %opts can contain.
	429
	430	=item authenticate_basic %opts
	431
	432	=item authenticate_digest %opts
	433
	434	Try to authenticate one of the methods without checking if the method is
	435	allowed in the configuration.
	436
	437	%opts can contain C<store> (either an object or a name), C<user> (to disregard
	438	%the username from the header altogether, overriding it with a username or user
	439	%object).
	440
	441	=item authorization_required_response %opts
a14203f8	442
a14203f8	443	Sets C<< $c->response >> to the correct status code, and adds the correct
a14203f8	444	header to demand authentication data from the user agent.
a14203f8	445
371a8cc8	446	Typically used by C<authorization_required>, but may be invoked manually.
	447
	448	%opts can contain C<realm>, C<domain> and C<algorithm>, which are used to build
	449	%the digest header.
	450
	451	=item store_digest_authorization_nonce $key, $nonce
	452
	453	=item get_digest_authorization_nonce $key
	454
	455	Set or get the C<$nonce> object used by the digest auth mode.
	456
	457	You may override these methods. By default they will call C<get> and C<set> on
	458	C<< $c->cache >>.
	459
	460	=back
	461
	462	=head1 CONFIGURATION
	463
	464	All configuration is stored in C<< YourApp->config->{authentication}{http} >>.
	465
	466	This should be a hash, and it can contain the following entries:
	467
	468	=over 4
	469
	470	=item store
	471
	472	Either a name or an object -- the default store to use for HTTP authentication.
	473
	474	=item type
	475
	476	Can be either C<any> (the default), C<basic> or C<digest>.
	477
	478	This controls C<authorization_required_response> and C<authenticate_http>, but
	479	not the "manual" methods.
	480
a14203f8	481	=back
a14203f8	482
a14203f8	483	=head1 AUTHORS
a14203f8	484
a14203f8	485	Yuval Kogman, C<nothingmuch@woobling.org>
a14203f8	486
a14203f8	487	Jess Robinson
a14203f8	488
a14203f8	489	Sascha Kiefer C<esskar@cpan.org>
a14203f8	490
a14203f8	491	=head1 COPYRIGHT & LICENSE
a14203f8	492
a14203f8	493	Copyright (c) 2005-2006 the aforementioned authors. All rights
a14203f8	494	reserved. This program is free software; you can redistribute
a14203f8	495	it and/or modify it under the same terms as Perl itself.
a14203f8	496
a14203f8	497	=cut