[catagits/Catalyst-Authentication-Credential-HTTP.git] / lib / Catalyst / Plugin / Authentication / Credential / HTTP.pm

#!/usr/bin/perl

package Catalyst::Plugin::Authentication::Credential::HTTP;
use base qw/Catalyst::Plugin::Authentication::Credential::Password/;

use strict;
use warnings;

use String::Escape ();
use URI::Escape    ();
use Catalyst       ();
use Digest::MD5    ();

our $VERSION = "0.08";

sub authenticate_http {
    my ( $c, @args ) = @_;

    return 1 if $c->_is_http_auth_type('digest') && $c->authenticate_digest(@args);
    return 1 if $c->_is_http_auth_type('basic')  && $c->authenticate_basic(@args);
}

sub get_http_auth_store {
    my ( $c, %opts ) = @_;

    my $store = $opts{store} || $c->config->{authentication}{http}{store} || return;

    return ref $store
        ? $store
        : $c->get_auth_store($store);
}

sub authenticate_basic {
    my ( $c, %opts ) = @_;

    $c->log->debug('Checking http basic authentication.') if $c->debug;

    my $headers = $c->req->headers;

    if ( my ( $username, $password ) = $headers->authorization_basic ) {

        my $user;

        unless ( $user = $opts{user} ) {
            if ( my $store = $c->get_http_auth_store(%opts) ) {
                $user = $store->get_user($username);
            } else {
                $user = $username;
            }
        }

        return $c->login( $user, $password );
    }

    return 0;
}

sub authenticate_digest {
    my ( $c, %opts ) = @_;

    $c->log->debug('Checking http digest authentication.') if $c->debug;

    my $headers       = $c->req->headers;
    my @authorization = $headers->header('Authorization');
    foreach my $authorization (@authorization) {
        next unless $authorization =~ m{^Digest};

        my %res = map {
            my @key_val = split /=/, $_, 2;
            $key_val[0] = lc $key_val[0];
            $key_val[1] =~ s{"}{}g;    # remove the quotes
            @key_val;
        } split /,\s?/, substr( $authorization, 7 );    #7 == length "Digest "

        my $opaque = $res{opaque};
        my $nonce  = $c->get_digest_authorization_nonce( __PACKAGE__ . '::opaque:' . $opaque );
        next unless $nonce;

        $c->log->debug('Checking authentication parameters.')
          if $c->debug;

        my $uri         = '/' . $c->request->path;
        my $algorithm   = $res{algorithm} || 'MD5';
        my $nonce_count = '0x' . $res{nc};

        my $check = $uri eq $res{uri}
          && ( exists $res{username} )
          && ( exists $res{qop} )
          && ( exists $res{cnonce} )
          && ( exists $res{nc} )
          && $algorithm eq $nonce->algorithm
          && hex($nonce_count) > hex( $nonce->nonce_count )
          && $res{nonce} eq $nonce->nonce;    # TODO: set Stale instead

        unless ($check) {
            $c->log->debug('Digest authentication failed. Bad request.')
              if $c->debug;
            $c->res->status(400);             # bad request
            die $Catalyst::DETACH;
        }

        $c->log->debug('Checking authentication response.')
          if $c->debug;

        my $username = $res{username};
        my $realm    = $res{realm};

        my $user;

        unless ( $user = $opts{user} ) {
            if ( my $store = $c->get_http_auth_store(%opts) || $c->default_auth_store ) {
                $user = $store->get_user($username);
            }
        }

        unless ($user) {    # no user, no authentication
            $c->log->debug('Unknown user: $user.') if $c->debug;
            return 0;
        }

        # everything looks good, let's check the response

        # calculate H(A2) as per spec
        my $ctx = Digest::MD5->new;
        $ctx->add( join( ':', $c->request->method, $res{uri} ) );
        if ( $res{qop} eq 'auth-int' ) {
            my $digest =
              Digest::MD5::md5_hex( $c->request->body );    # not sure here
            $ctx->add( ':', $digest );
        }
        my $A2_digest = $ctx->hexdigest;

        # the idea of the for loop:
        # if we do not want to store the plain password in our user store,
        # we can store md5_hex("$username:$realm:$password") instead
        for my $r ( 0 .. 1 ) {

            # calculate H(A1) as per spec
            my $A1_digest = $r ? $user->password : do {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $username, $realm, $user->password ) );
                $ctx->hexdigest;
            };
            if ( $nonce->algorithm eq 'MD5-sess' ) {
                $ctx = Digest::MD5->new;
                $ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
                $A1_digest = $ctx->hexdigest;
            }

            my $rq_digest = Digest::MD5::md5_hex(
                join( ':',
                    $A1_digest, $res{nonce},
                    $res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
                    $A2_digest )
            );

            $nonce->nonce_count($nonce_count);
            $c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
                $nonce );

            return $c->login( $user, $user->password )
              if $rq_digest eq $res{response};
        }
    }

    return 0;
}

sub _check_cache {
    my $c = shift;

    die "A cache is needed for http digest authentication."
      unless $c->can('cache');
}

sub _is_http_auth_type {
    my ( $c, $type ) = @_;

    my $cfgtype = lc( $c->config->{authentication}{http}{type} || 'any' );
    return 1 if $cfgtype eq 'any' || $cfgtype eq lc $type;
    return 0;
}

sub authorization_required {
    my ( $c, @args ) = @_;

    return 1 if $c->authenticate_http(@args);
    
    $c->authorization_required_response(@args);

    die $Catalyst::DETACH;
}

sub authorization_required_response {
    my ( $c, %opts ) = @_;

    $c->res->status(401);
    $c->res->content_type('text/plain');
    $c->res->body($c->config->{authentication}{http}{authorization_required_message} || 
                  $opts{authorization_required_message} || 
                  'Authorization required.');

    # *DONT* short circuit
    my $ok;
    $ok++ if $c->_create_digest_auth_response(\%opts);
    $ok++ if $c->_create_basic_auth_response(\%opts);

    unless ( $ok ) {
        die 'Could not build authorization required response. '
        . 'Did you configure a valid authentication http type: '
        . 'basic, digest, any';
    }
}

sub _add_authentication_header {
    my ( $c, $header ) = @_;
    $c->res->headers->push_header( 'WWW-Authenticate' => $header );
}

sub _create_digest_auth_response {
    my ( $c, $opts ) = @_;
      
    return unless $c->_is_http_auth_type('digest');
    
    if ( my $digest = $c->_build_digest_auth_header( $opts ) ) {
        $c->_add_authentication_header( $digest );
        return 1;
    }

    return;
}

sub _create_basic_auth_response {
    my ( $c, $opts ) = @_;
    
    return unless $c->_is_http_auth_type('basic');

    if ( my $basic = $c->_build_basic_auth_header( $opts ) ) {
        $c->_add_authentication_header( $basic );
        return 1;
    }

    return;
}

sub _build_auth_header_realm {
    my ( $c, $opts ) = @_;    

    if ( my $realm = $opts->{realm} ) {
        return 'realm=' . String::Escape::qprintable($realm);
    } else {
        return;
    }
}

sub _build_auth_header_domain {
    my ( $c, $opts ) = @_;

    if ( my $domain = $opts->{domain} ) {
        Catalyst::Exception->throw("domain must be an array reference")
          unless ref($domain) && ref($domain) eq "ARRAY";

        my @uris =
          $c->config->{authentication}{http}{use_uri_for}
          ? ( map { $c->uri_for($_) } @$domain )
          : ( map { URI::Escape::uri_escape($_) } @$domain );

        return qq{domain="@uris"};
    } else {
        return;
    }
}

sub _build_auth_header_common {
    my ( $c, $opts ) = @_;

    return (
        $c->_build_auth_header_realm($opts),
        $c->_build_auth_header_domain($opts),
    );
}

sub _build_basic_auth_header {
    my ( $c, $opts ) = @_;
    return $c->_join_auth_header_parts( Basic => $c->_build_auth_header_common( $opts ) );
}

sub _build_digest_auth_header {
    my ( $c, $opts ) = @_;

    my $nonce = $c->_digest_auth_nonce($opts);

    my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
   
    $c->store_digest_authorization_nonce( $key, $nonce );

    return $c->_join_auth_header_parts( Digest =>
        $c->_build_auth_header_common($opts),
        map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
            qop
            nonce
            opaque
            algorithm
        ),
    );
}

sub _digest_auth_nonce {
    my ( $c, $opts ) = @_;

    my $package = __PACKAGE__ . '::Nonce';

    my $nonce   = $package->new;

    if ( my $algorithm = $opts->{algorithm} || $c->config->{authentication}{http}{algorithm}) { 
        $nonce->algorithm( $algorithm );
    }

    return $nonce;
}

sub _join_auth_header_parts {
    my ( $c, $type, @parts ) = @_;
    return "$type " . join(", ", @parts );
}

sub get_digest_authorization_nonce {
    my ( $c, $key ) = @_;

    $c->_check_cache;
    $c->cache->get( $key );
}

sub store_digest_authorization_nonce {
    my ( $c, $key, $nonce ) = @_;

    $c->_check_cache;
    $c->cache->set( $key, $nonce );
}

package Catalyst::Plugin::Authentication::Credential::HTTP::Nonce;

use strict;
use base qw[ Class::Accessor::Fast ];
use Data::UUID ();

our $VERSION = "0.01";

__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);

sub new {
    my $class = shift;
    my $self  = $class->SUPER::new(@_);

    $self->nonce( Data::UUID->new->create_b64 );
    $self->opaque( Data::UUID->new->create_b64 );
    $self->qop('auth,auth-int');
    $self->nonce_count('0x0');
    $self->algorithm('MD5');

    return $self;
}

1;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
for Catalyst.

=head1 SYNOPSIS

    use Catalyst qw/
        Authentication
        Authentication::Store::Minimal
        Authentication::Credential::HTTP
    /;

    __PACKAGE__->config->{authentication}{http}{type} = 'any'; # or 'digest' or 'basic'
    __PACKAGE__->config->{authentication}{users} = {
        Mufasa => { password => "Circle Of Life", },
    };

    sub foo : Local {
        my ( $self, $c ) = @_;

        $c->authorization_required( realm => "foo" ); # named after the status code ;-)

        # either user gets authenticated or 401 is sent

        do_stuff();
    }

    # with ACL plugin
    __PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate_http });

    sub end : Private {
        my ( $self, $c ) = @_;

        $c->authorization_required_response( realm => "foo" );
        $c->error(0);
    }

=head1 DESCRIPTION

This moduule lets you use HTTP authentication with
L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
are currently supported.

When authentication is required, this module sets a status of 401, and
the body of the response to 'Authorization required.'. To override
this and set your own content, check for the C<< $c->res->status ==
401 >> in your C<end> action, and change the body accordingly.

=head2 TERMS

=over 4

=item Nonce

A nonce is a one-time value sent with each digest authentication
request header. The value must always be unique, so per default the
last value of the nonce is kept using L<Catalyst::Plugin::Cache>. To
change this behaviour, override the
C<store_digest_authorization_nonce> and
C<get_digest_authorization_nonce> methods as shown below.

=back

=head1 METHODS

=over 4

=item authorization_required %opts

Tries to C<authenticate_http>, and if that fails calls
C<authorization_required_response> and detaches the current action call stack.

This method just passes the options through untouched.

=item authenticate_http %opts

Looks inside C<< $c->request->headers >> and processes the digest and basic
(badly named) authorization header.

This will only try the methods set in the configuration. First digest, then basic.

See the next two methods for what %opts can contain.

=item authenticate_basic %opts

=item authenticate_digest %opts

Try to authenticate one of the methods without checking if the method is
allowed in the configuration.

%opts can contain C<store> (either an object or a name), C<user> (to disregard
%the username from the header altogether, overriding it with a username or user
%object).

=item authorization_required_response %opts

Sets C<< $c->response >> to the correct status code, and adds the correct
header to demand authentication data from the user agent.

Typically used by C<authorization_required>, but may be invoked manually.

%opts can contain C<realm>, C<domain> and C<algorithm>, which are used to build
%the digest header.

=item store_digest_authorization_nonce $key, $nonce

=item get_digest_authorization_nonce $key

Set or get the C<$nonce> object used by the digest auth mode.

You may override these methods. By default they will call C<get> and C<set> on
C<< $c->cache >>.

=back

=head1 CONFIGURATION

All configuration is stored in C<< YourApp->config->{authentication}{http} >>.

This should be a hash, and it can contain the following entries:

=over 4

=item store

Either a name or an object -- the default store to use for HTTP authentication.

=item type

Can be either C<any> (the default), C<basic> or C<digest>.

This controls C<authorization_required_response> and C<authenticate_http>, but
not the "manual" methods.

=item authorization_required_message

Set this to a string to override the default body content "Authorization required."

=back

=head1 RESTRICTIONS

When using digest authentication, this module will only work together
with authentication stores whose User objects have a C<password>
method that returns the plain-text password. It will not work together
with L<Catalyst::Authentication::Store::Htpasswd>, or
L<Catalyst::Plugin::Authentication::Store::DBIC> stores whose
C<password> methods return a hashed or salted version of the password.

=head1 AUTHORS

Yuval Kogman, C<nothingmuch@woobling.org>

Jess Robinson

Sascha Kiefer C<esskar@cpan.org>

=head1 SEE ALSO

RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>

=head1 COPYRIGHT & LICENSE

        Copyright (c) 2005-2006 the aforementioned authors. All rights
        reserved. This program is free software; you can redistribute
        it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
a14203f8	1	#!/usr/bin/perl
a14203f8	2
a14203f8	3	package Catalyst::Plugin::Authentication::Credential::HTTP;
a14203f8	4	use base qw/Catalyst::Plugin::Authentication::Credential::Password/;
a14203f8	5
a14203f8	6	use strict;
a14203f8	7	use warnings;
a14203f8	8
a14203f8	9	use String::Escape ();
a14203f8	10	use URI::Escape ();
a14203f8	11	use Catalyst ();
a14203f8	12	use Digest::MD5 ();
a14203f8	13
2d4d6aac	14	our $VERSION = "0.08";
a14203f8	15
a14203f8	16	sub authenticate_http {
ac92fd52	17	my ( $c, @args ) = @_;
a14203f8	18
ac92fd52	19	return 1 if $c->_is_http_auth_type('digest') && $c->authenticate_digest(@args);
ac92fd52	20	return 1 if $c->_is_http_auth_type('basic') && $c->authenticate_basic(@args);
a14203f8	21	}
a14203f8	22
ac92fd52	23	sub get_http_auth_store {
ac92fd52	24	my ( $c, %opts ) = @_;
371a8cc8	25
	26	my $store = $opts{store} \|\| $c->config->{authentication}{http}{store} \|\| return;
	27
	28	return ref $store
	29	? $store
	30	: $c->get_auth_store($store);
ac92fd52	31	}
a14203f8	32
a14203f8	33	sub authenticate_basic {
ac92fd52	34	my ( $c, %opts ) = @_;
a14203f8	35
	36	$c->log->debug('Checking http basic authentication.') if $c->debug;
	37
a14203f8	38	my $headers = $c->req->headers;
a14203f8	39
ac92fd52	40	if ( my ( $username, $password ) = $headers->authorization_basic ) {
a14203f8	41
ac92fd52	42	my $user;
a14203f8	43
ac92fd52	44	unless ( $user = $opts{user} ) {
	45	if ( my $store = $c->get_http_auth_store(%opts) ) {
	46	$user = $store->get_user($username);
	47	} else {
	48	$user = $username;
	49	}
a14203f8	50	}
a14203f8	51
a14203f8	52	return $c->login( $user, $password );
a14203f8	53	}
a14203f8	54
a14203f8	55	return 0;
a14203f8	56	}
a14203f8	57
a14203f8	58	sub authenticate_digest {
ac92fd52	59	my ( $c, %opts ) = @_;
a14203f8	60
	61	$c->log->debug('Checking http digest authentication.') if $c->debug;
	62
a14203f8	63	my $headers = $c->req->headers;
a14203f8	64	my @authorization = $headers->header('Authorization');
a14203f8	65	foreach my $authorization (@authorization) {
a14203f8	66	next unless $authorization =~ m{^Digest};
a14203f8	67
a14203f8	68	my %res = map {
a14203f8	69	my @key_val = split /=/, $_, 2;
a14203f8	70	$key_val[0] = lc $key_val[0];
a14203f8	71	$key_val[1] =~ s{"}{}g; # remove the quotes
a14203f8	72	@key_val;
a14203f8	73	} split /,\s?/, substr( $authorization, 7 ); #7 == length "Digest "
a14203f8	74
a14203f8	75	my $opaque = $res{opaque};
371a8cc8	76	my $nonce = $c->get_digest_authorization_nonce( __PACKAGE__ . '::opaque:' . $opaque );
a14203f8	77	next unless $nonce;
a14203f8	78
a14203f8	79	$c->log->debug('Checking authentication parameters.')
a14203f8	80	if $c->debug;
a14203f8	81
a14203f8	82	my $uri = '/' . $c->request->path;
a14203f8	83	my $algorithm = $res{algorithm} \|\| 'MD5';
a14203f8	84	my $nonce_count = '0x' . $res{nc};
a14203f8	85
a14203f8	86	my $check = $uri eq $res{uri}
a14203f8	87	&& ( exists $res{username} )
a14203f8	88	&& ( exists $res{qop} )
a14203f8	89	&& ( exists $res{cnonce} )
a14203f8	90	&& ( exists $res{nc} )
a14203f8	91	&& $algorithm eq $nonce->algorithm
a14203f8	92	&& hex($nonce_count) > hex( $nonce->nonce_count )
a14203f8	93	&& $res{nonce} eq $nonce->nonce; # TODO: set Stale instead
a14203f8	94
a14203f8	95	unless ($check) {
a14203f8	96	$c->log->debug('Digest authentication failed. Bad request.')
a14203f8	97	if $c->debug;
a14203f8	98	$c->res->status(400); # bad request
a14203f8	99	die $Catalyst::DETACH;
a14203f8	100	}
a14203f8	101
a14203f8	102	$c->log->debug('Checking authentication response.')
a14203f8	103	if $c->debug;
a14203f8	104
a14203f8	105	my $username = $res{username};
a14203f8	106	my $realm = $res{realm};
a14203f8	107
a14203f8	108	my $user;
a14203f8	109
371a8cc8	110	unless ( $user = $opts{user} ) {
	111	if ( my $store = $c->get_http_auth_store(%opts) \|\| $c->default_auth_store ) {
	112	$user = $store->get_user($username);
	113	}
	114	}
a14203f8	115
a14203f8	116	unless ($user) { # no user, no authentication
a14203f8	117	$c->log->debug('Unknown user: $user.') if $c->debug;
a14203f8	118	return 0;
a14203f8	119	}
a14203f8	120
a14203f8	121	# everything looks good, let's check the response
a14203f8	122
a14203f8	123	# calculate H(A2) as per spec
a14203f8	124	my $ctx = Digest::MD5->new;
a14203f8	125	$ctx->add( join( ':', $c->request->method, $res{uri} ) );
a14203f8	126	if ( $res{qop} eq 'auth-int' ) {
a14203f8	127	my $digest =
a14203f8	128	Digest::MD5::md5_hex( $c->request->body ); # not sure here
a14203f8	129	$ctx->add( ':', $digest );
a14203f8	130	}
a14203f8	131	my $A2_digest = $ctx->hexdigest;
a14203f8	132
a14203f8	133	# the idea of the for loop:
a14203f8	134	# if we do not want to store the plain password in our user store,
a14203f8	135	# we can store md5_hex("$username:$realm:$password") instead
a14203f8	136	for my $r ( 0 .. 1 ) {
a14203f8	137
a14203f8	138	# calculate H(A1) as per spec
a14203f8	139	my $A1_digest = $r ? $user->password : do {
a14203f8	140	$ctx = Digest::MD5->new;
a14203f8	141	$ctx->add( join( ':', $username, $realm, $user->password ) );
a14203f8	142	$ctx->hexdigest;
a14203f8	143	};
a14203f8	144	if ( $nonce->algorithm eq 'MD5-sess' ) {
a14203f8	145	$ctx = Digest::MD5->new;
a14203f8	146	$ctx->add( join( ':', $A1_digest, $res{nonce}, $res{cnonce} ) );
a14203f8	147	$A1_digest = $ctx->hexdigest;
a14203f8	148	}
a14203f8	149
a14203f8	150	my $rq_digest = Digest::MD5::md5_hex(
a14203f8	151	join( ':',
a14203f8	152	$A1_digest, $res{nonce},
a14203f8	153	$res{qop} ? ( $res{nc}, $res{cnonce}, $res{qop} ) : (),
a14203f8	154	$A2_digest )
a14203f8	155	);
a14203f8	156
a14203f8	157	$nonce->nonce_count($nonce_count);
a14203f8	158	$c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque,
a14203f8	159	$nonce );
a14203f8	160
a14203f8	161	return $c->login( $user, $user->password )
a14203f8	162	if $rq_digest eq $res{response};
a14203f8	163	}
a14203f8	164	}
a14203f8	165
a14203f8	166	return 0;
a14203f8	167	}
a14203f8	168
a14203f8	169	sub _check_cache {
a14203f8	170	my $c = shift;
a14203f8	171
a14203f8	172	die "A cache is needed for http digest authentication."
a14203f8	173	unless $c->can('cache');
a14203f8	174	}
a14203f8	175
ac92fd52	176	sub _is_http_auth_type {
a14203f8	177	my ( $c, $type ) = @_;
a14203f8	178
a14203f8	179	my $cfgtype = lc( $c->config->{authentication}{http}{type} \|\| 'any' );
a14203f8	180	return 1 if $cfgtype eq 'any' \|\| $cfgtype eq lc $type;
a14203f8	181	return 0;
a14203f8	182	}
a14203f8	183
a14203f8	184	sub authorization_required {
ac92fd52	185	my ( $c, @args ) = @_;
a14203f8	186
ac92fd52	187	return 1 if $c->authenticate_http(@args);
	188
	189	$c->authorization_required_response(@args);
a14203f8	190
a14203f8	191	die $Catalyst::DETACH;
a14203f8	192	}
a14203f8	193
a14203f8	194	sub authorization_required_response {
a14203f8	195	my ( $c, %opts ) = @_;
a14203f8	196
a14203f8	197	$c->res->status(401);
c7b3e379	198	$c->res->content_type('text/plain');
	199	$c->res->body($c->config->{authentication}{http}{authorization_required_message} \|\|
	200	$opts{authorization_required_message} \|\|
	201	'Authorization required.');
a14203f8	202
ac92fd52	203	# DONT short circuit
	204	my $ok;
	205	$ok++ if $c->_create_digest_auth_response(\%opts);
	206	$ok++ if $c->_create_basic_auth_response(\%opts);
a14203f8	207
ac92fd52	208	unless ( $ok ) {
	209	die 'Could not build authorization required response. '
	210	. 'Did you configure a valid authentication http type: '
	211	. 'basic, digest, any';
	212	}
a14203f8	213	}
a14203f8	214
ac92fd52	215	sub _add_authentication_header {
	216	my ( $c, $header ) = @_;
	217	$c->res->headers->push_header( 'WWW-Authenticate' => $header );
	218	}
a14203f8	219
ac92fd52	220	sub _create_digest_auth_response {
	221	my ( $c, $opts ) = @_;
	222
	223	return unless $c->_is_http_auth_type('digest');
	224
	225	if ( my $digest = $c->_build_digest_auth_header( $opts ) ) {
	226	$c->_add_authentication_header( $digest );
	227	return 1;
	228	}
a14203f8	229
ac92fd52	230	return;
ac92fd52	231	}
a14203f8	232
ac92fd52	233	sub _create_basic_auth_response {
	234	my ( $c, $opts ) = @_;
	235
	236	return unless $c->_is_http_auth_type('basic');
a14203f8	237
ac92fd52	238	if ( my $basic = $c->_build_basic_auth_header( $opts ) ) {
	239	$c->_add_authentication_header( $basic );
	240	return 1;
	241	}
a14203f8	242
ac92fd52	243	return;
ac92fd52	244	}
a14203f8	245
ac92fd52	246	sub _build_auth_header_realm {
ac92fd52	247	my ( $c, $opts ) = @_;
a14203f8	248
a14203f8	249	if ( my $realm = $opts->{realm} ) {
ac92fd52	250	return 'realm=' . String::Escape::qprintable($realm);
	251	} else {
	252	return;
a14203f8	253	}
ac92fd52	254	}
a14203f8	255
ac92fd52	256	sub _build_auth_header_domain {
ac92fd52	257	my ( $c, $opts ) = @_;
a14203f8	258
a14203f8	259	if ( my $domain = $opts->{domain} ) {
18eacbdd	260	Catalyst::Exception->throw("domain must be an array reference")
a14203f8	261	unless ref($domain) && ref($domain) eq "ARRAY";
a14203f8	262
a14203f8	263	my @uris =
a14203f8	264	$c->config->{authentication}{http}{use_uri_for}
a14203f8	265	? ( map { $c->uri_for($_) } @$domain )
a14203f8	266	: ( map { URI::Escape::uri_escape($_) } @$domain );
a14203f8	267
ac92fd52	268	return qq{domain="@uris"};
	269	} else {
	270	return;
a14203f8	271	}
ac92fd52	272	}
a14203f8	273
ac92fd52	274	sub _build_auth_header_common {
ac92fd52	275	my ( $c, $opts ) = @_;
a14203f8	276
ac92fd52	277	return (
	278	$c->_build_auth_header_realm($opts),
	279	$c->_build_auth_header_domain($opts),
	280	);
	281	}
a14203f8	282
ac92fd52	283	sub _build_basic_auth_header {
ac92fd52	284	my ( $c, $opts ) = @_;
18eacbdd	285	return $c->_join_auth_header_parts( Basic => $c->_build_auth_header_common( $opts ) );
ac92fd52	286	}
a14203f8	287
ac92fd52	288	sub _build_digest_auth_header {
ac92fd52	289	my ( $c, $opts ) = @_;
a14203f8	290
ac92fd52	291	my $nonce = $c->_digest_auth_nonce($opts);
a14203f8	292
ac92fd52	293	my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque;
ac92fd52	294
371a8cc8	295	$c->store_digest_authorization_nonce( $key, $nonce );
a14203f8	296
ac92fd52	297	return $c->_join_auth_header_parts( Digest =>
	298	$c->_build_auth_header_common($opts),
	299	map { sprintf '%s="%s"', $_, $nonce->$_ } qw(
	300	qop
	301	nonce
	302	opaque
	303	algorithm
	304	),
	305	);
	306	}
a14203f8	307
ac92fd52	308	sub _digest_auth_nonce {
ac92fd52	309	my ( $c, $opts ) = @_;
a14203f8	310
ac92fd52	311	my $package = __PACKAGE__ . '::Nonce';
a14203f8	312
ac92fd52	313	my $nonce = $package->new;
a14203f8	314
371a8cc8	315	if ( my $algorithm = $opts->{algorithm} \|\| $c->config->{authentication}{http}{algorithm}) {
	316	$nonce->algorithm( $algorithm );
	317	}
a14203f8	318
ac92fd52	319	return $nonce;
ac92fd52	320	}
a14203f8	321
ac92fd52	322	sub _join_auth_header_parts {
	323	my ( $c, $type, @parts ) = @_;
	324	return "$type " . join(", ", @parts );
	325	}
a14203f8	326
371a8cc8	327	sub get_digest_authorization_nonce {
ac92fd52	328	my ( $c, $key ) = @_;
a14203f8	329
ac92fd52	330	$c->_check_cache;
ac92fd52	331	$c->cache->get( $key );
a14203f8	332	}
a14203f8	333
371a8cc8	334	sub store_digest_authorization_nonce {
ac92fd52	335	my ( $c, $key, $nonce ) = @_;
a14203f8	336
ac92fd52	337	$c->_check_cache;
	338	$c->cache->set( $key, $nonce );
	339	}
a14203f8	340
	341	package Catalyst::Plugin::Authentication::Credential::HTTP::Nonce;
	342
a14203f8	343	use strict;
a14203f8	344	use base qw[ Class::Accessor::Fast ];
a14203f8	345	use Data::UUID ();
a14203f8	346
a14203f8	347	our $VERSION = "0.01";
a14203f8	348
a14203f8	349	__PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);
a14203f8	350
a14203f8	351	sub new {
a14203f8	352	my $class = shift;
a14203f8	353	my $self = $class->SUPER::new(@_);
a14203f8	354
a14203f8	355	$self->nonce( Data::UUID->new->create_b64 );
a14203f8	356	$self->opaque( Data::UUID->new->create_b64 );
a14203f8	357	$self->qop('auth,auth-int');
a14203f8	358	$self->nonce_count('0x0');
a14203f8	359	$self->algorithm('MD5');
a14203f8	360
a14203f8	361	return $self;
a14203f8	362	}
a14203f8	363
a14203f8	364	1;
a14203f8	365
a14203f8	366	__END__
a14203f8	367
a14203f8	368	=pod
a14203f8	369
a14203f8	370	=head1 NAME
a14203f8	371
a14203f8	372	Catalyst::Plugin::Authentication::Credential::HTTP - HTTP Basic and Digest authentication
53306b93	373	for Catalyst.
a14203f8	374
a14203f8	375	=head1 SYNOPSIS
a14203f8	376
a14203f8	377	use Catalyst qw/
a14203f8	378	Authentication
c7b3e379	379	Authentication::Store::Minimal
a14203f8	380	Authentication::Credential::HTTP
a14203f8	381	/;
a14203f8	382
3bb378d2	383	__PACKAGE__->config->{authentication}{http}{type} = 'any'; # or 'digest' or 'basic'
	384	__PACKAGE__->config->{authentication}{users} = {
	385	Mufasa => { password => "Circle Of Life", },
a14203f8	386	};
a14203f8	387
a14203f8	388	sub foo : Local {
a14203f8	389	my ( $self, $c ) = @_;
a14203f8	390
a14203f8	391	$c->authorization_required( realm => "foo" ); # named after the status code ;-)
a14203f8	392
a14203f8	393	# either user gets authenticated or 401 is sent
a14203f8	394
a14203f8	395	do_stuff();
a14203f8	396	}
a14203f8	397
a14203f8	398	# with ACL plugin
a14203f8	399	__PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate_http });
a14203f8	400
a14203f8	401	sub end : Private {
a14203f8	402	my ( $self, $c ) = @_;
a14203f8	403
a14203f8	404	$c->authorization_required_response( realm => "foo" );
a14203f8	405	$c->error(0);
a14203f8	406	}
a14203f8	407
a14203f8	408	=head1 DESCRIPTION
a14203f8	409
a14203f8	410	This moduule lets you use HTTP authentication with
a14203f8	411	L<Catalyst::Plugin::Authentication>. Both basic and digest authentication
a14203f8	412	are currently supported.
a14203f8	413
c7b3e379	414	When authentication is required, this module sets a status of 401, and
	415	the body of the response to 'Authorization required.'. To override
	416	this and set your own content, check for the C<< $c->res->status ==
	417	401 >> in your C<end> action, and change the body accordingly.
	418
	419	=head2 TERMS
	420
	421	=over 4
	422
	423	=item Nonce
	424
	425	A nonce is a one-time value sent with each digest authentication
	426	request header. The value must always be unique, so per default the
	427	last value of the nonce is kept using L<Catalyst::Plugin::Cache>. To
	428	change this behaviour, override the
	429	C<store_digest_authorization_nonce> and
	430	C<get_digest_authorization_nonce> methods as shown below.
	431
	432	=back
	433
a14203f8	434	=head1 METHODS
a14203f8	435
a14203f8	436	=over 4
a14203f8	437
371a8cc8	438	=item authorization_required %opts
a14203f8	439
a14203f8	440	Tries to C<authenticate_http>, and if that fails calls
a14203f8	441	C<authorization_required_response> and detaches the current action call stack.
a14203f8	442
371a8cc8	443	This method just passes the options through untouched.
	444
	445	=item authenticate_http %opts
a14203f8	446
a14203f8	447	Looks inside C<< $c->request->headers >> and processes the digest and basic
a14203f8	448	(badly named) authorization header.
a14203f8	449
c7b3e379	450	This will only try the methods set in the configuration. First digest, then basic.
371a8cc8	451
	452	See the next two methods for what %opts can contain.
	453
	454	=item authenticate_basic %opts
	455
	456	=item authenticate_digest %opts
	457
	458	Try to authenticate one of the methods without checking if the method is
	459	allowed in the configuration.
	460
	461	%opts can contain C<store> (either an object or a name), C<user> (to disregard
	462	%the username from the header altogether, overriding it with a username or user
	463	%object).
	464
	465	=item authorization_required_response %opts
a14203f8	466
a14203f8	467	Sets C<< $c->response >> to the correct status code, and adds the correct
a14203f8	468	header to demand authentication data from the user agent.
a14203f8	469
371a8cc8	470	Typically used by C<authorization_required>, but may be invoked manually.
	471
	472	%opts can contain C<realm>, C<domain> and C<algorithm>, which are used to build
	473	%the digest header.
	474
	475	=item store_digest_authorization_nonce $key, $nonce
	476
	477	=item get_digest_authorization_nonce $key
	478
	479	Set or get the C<$nonce> object used by the digest auth mode.
	480
	481	You may override these methods. By default they will call C<get> and C<set> on
	482	C<< $c->cache >>.
	483
	484	=back
	485
	486	=head1 CONFIGURATION
	487
	488	All configuration is stored in C<< YourApp->config->{authentication}{http} >>.
	489
	490	This should be a hash, and it can contain the following entries:
	491
	492	=over 4
	493
	494	=item store
	495
	496	Either a name or an object -- the default store to use for HTTP authentication.
	497
	498	=item type
	499
	500	Can be either C<any> (the default), C<basic> or C<digest>.
	501
	502	This controls C<authorization_required_response> and C<authenticate_http>, but
	503	not the "manual" methods.
	504
c7b3e379	505	=item authorization_required_message
	506
	507	Set this to a string to override the default body content "Authorization required."
	508
a14203f8	509	=back
a14203f8	510
c7b3e379	511	=head1 RESTRICTIONS
	512
	513	When using digest authentication, this module will only work together
	514	with authentication stores whose User objects have a C<password>
	515	method that returns the plain-text password. It will not work together
	516	with L<Catalyst::Authentication::Store::Htpasswd>, or
	517	L<Catalyst::Plugin::Authentication::Store::DBIC> stores whose
	518	C<password> methods return a hashed or salted version of the password.
	519
a14203f8	520	=head1 AUTHORS
a14203f8	521
a14203f8	522	Yuval Kogman, C<nothingmuch@woobling.org>
a14203f8	523
a14203f8	524	Jess Robinson
a14203f8	525
a14203f8	526	Sascha Kiefer C<esskar@cpan.org>
a14203f8	527
c7b3e379	528	=head1 SEE ALSO
	529
	530	RFC 2617 (or its successors), L<Catalyst::Plugin::Cache>, L<Catalyst::Plugin::Authentication>
	531
a14203f8	532	=head1 COPYRIGHT & LICENSE
a14203f8	533
a14203f8	534	Copyright (c) 2005-2006 the aforementioned authors. All rights
a14203f8	535	reserved. This program is free software; you can redistribute
a14203f8	536	it and/or modify it under the same terms as Perl itself.
a14203f8	537
a14203f8	538	=cut