X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Manual.git;a=blobdiff_plain;f=lib%2FCatalyst%2FManual%2FTutorial%2F05_Authentication.pod;h=ec3a748f58617084f29dd7a4052767fbb3ecfb0a;hp=6c41ec7dba0df558fa9c2e47377e83770c26c821;hb=ab0bd0bb5e2a7d8d3e355ca3524a61c3d4c59fd6;hpb=3ab6187c1a123983b6ae29e57f543328ce15755c diff --git a/lib/Catalyst/Manual/Tutorial/05_Authentication.pod b/lib/Catalyst/Manual/Tutorial/05_Authentication.pod index 6c41ec7..ec3a748 100644 --- a/lib/Catalyst/Manual/Tutorial/05_Authentication.pod +++ b/lib/Catalyst/Manual/Tutorial/05_Authentication.pod @@ -119,6 +119,7 @@ Then load this into the C database with the following command: $ sqlite3 myapp.db < myapp02.sql + =head2 Add User and Role Information to DBIC Schema Although we could manually edit the DBIC schema information to include @@ -159,7 +160,7 @@ C: # 1) Name of relationship, DBIC will create accessor with this name # 2) Name of the model class referenced by this relationship # 3) Column name in *foreign* table (aka, foreign key in peer table) - __PACKAGE__->has_many(map_user_role => 'MyApp::Schema::Result::UserRole', 'user_id'); + __PACKAGE__->has_many(map_user_roles => 'MyApp::Schema::Result::UserRole', 'user_id'); # many_to_many(): # args: @@ -167,7 +168,7 @@ C: # 2) Name of has_many() relationship this many_to_many() is shortcut for # 3) Name of belongs_to() relationship in model class of has_many() above # You must already have the has_many() defined to use a many_to_many(). - __PACKAGE__->many_to_many(roles => 'map_user_role', 'role'); + __PACKAGE__->many_to_many(roles => 'map_user_roles', 'role'); C: @@ -181,7 +182,7 @@ C: # 1) Name of relationship, DBIC will create accessor with this name # 2) Name of the model class referenced by this relationship # 3) Column name in *foreign* table (aka, foreign key in peer table) - __PACKAGE__->has_many(map_user_role => 'MyApp::Schema::Result::UserRole', 'role_id'); + __PACKAGE__->has_many(map_user_roles => 'MyApp::Schema::Result::UserRole', 'role_id'); C: @@ -253,7 +254,8 @@ Edit C and update it as follows (everything below C is new): # Load plugins - use Catalyst qw/-Debug + use Catalyst qw/ + -Debug ConfigLoader Static::Simple @@ -267,8 +269,9 @@ C is new): /; B As discussed in MoreCatalystBasics, different versions of -C have used a variety of methods to load the plugins. -You can put the plugins in the C statement if you prefer. +C have used a variety of methods to load the plugins, +but we are going to use the current Catalyst 5.8X practice of putting +them on the C line. The C plugin supports Authentication while the C plugins are required to maintain state across multiple HTTP @@ -333,9 +336,8 @@ for the tutorial, but if you wish to use C, just convert to the following code: - use_session 1 - password_type self_check + password_type clear user_model DB::User class SimpleDB @@ -386,8 +388,8 @@ and update the definition of C to match: my ($self, $c) = @_; # Get the username and password from form - my $username = $c->request->params->{username} || ""; - my $password = $c->request->params->{password} || ""; + my $username = $c->request->params->{username}; + my $password = $c->request->params->{password}; # If the username and password values were found in form if ($username && $password) { @@ -402,6 +404,9 @@ and update the definition of C to match: # Set an error message $c->stash->{error_msg} = "Bad username or password."; } + } else { + # Set an error message + $c->stash->{error_msg} = "Empty username or password."; } # If either of above don't work out, send to the login page @@ -488,9 +493,8 @@ Create a login form by opening C and inserting: We need something that provides enforcement for the authentication mechanism -- a I mechanism that prevents users who have not passed authentication from reaching any pages except the login page. -This is generally done via an C action/method (prior to Catalyst -v5.66, this sort of thing would go in C, but starting in -v5.66, the preferred location is C). +This is generally done via an C action/method in +C. Edit the existing C class file and insert the following method: @@ -649,16 +653,6 @@ between the browser and your application, consider using SSL/TLS, made easy with the Catalyst plugin Catalyst::Plugin:RequireSSL. -=head2 Install DBIx::Class::EncodedColumn - -L provides features -that can greatly simplify the maintenance of passwords. It's currently -not available as a .deb package in the normal Debian repositories, so let's -install it directly from CPAN: - - $ sudo cpan DBIx::Class::EncodedColumn - - =head2 Re-Run the DBIC::Schema Model Helper to Include DBIx::Class::EncodedColumn Next, we can re-run the model helper to have it include @@ -745,12 +739,24 @@ password stored for this user. Then run the following command: - $ perl -Ilib set_hashed_passwords.pl + $ DBIC_TRACE=1 perl -Ilib set_hashed_passwords.pl -We had to use the C<-Ilib> arguement to tell perl to look under the +We had to use the C<-Ilib> argument to tell perl to look under the C directory for our C model. -Then dump the users table to verify that it worked: +The DBIC_TRACE output should show that the update worked: + + $ DBIC_TRACE=1 perl -Ilib set_hashed_passwords.pl + SELECT me.id, me.username, me.password, me.email_address, + me.first_name, me.last_name, me.active FROM user me: + UPDATE user SET password = ? WHERE ( id = ? ): + 'oXiyAcGOjowz7ISUhpIm1IrS8AxSZ9r4jNjpX9VnVeQmN6GRtRKTz', '1' + UPDATE user SET password = ? WHERE ( id = ? ): + 'PmyEPrkB8EGwvaF/DvJm7LIfxoZARjv8ygFIR7pc1gEA1OfwHGNzs', '2' + UPDATE user SET password = ? WHERE ( id = ? ): + 'h7CS1Fm9UCs4hjcbu2im0HumaHCJUq4Uriac+SQgdUMUfFSoOrz3c', '3' + +But we can further confirm our actions by dumping the users table: $ sqlite3 myapp.db "select * from user" 1|test01|38d3974fa9e9263099f7bc2574284b2f55473a9bM=fwpX2NR8|t01@na.com|Joe|Blow|1 @@ -758,15 +764,17 @@ Then dump the users table to verify that it worked: 3|test03|af929a151340c6aed4d54d7e2651795d1ad2e2f7UW8dHoGv9z|t03@na.com|No|Go|0 As you can see, the passwords are much harder to steal from the -database. Also note that this demonstrates how to use a DBIx::Class +database (not only are the hashes stored, but every hash is different +even though the passwords are the same because of the added "salt" +value). Also note that this demonstrates how to use a DBIx::Class model outside of your web application -- a very useful feature in many situations. =head2 Enable Hashed and Salted Passwords -Edit C and update it to match the following text (the only change -is to the C field): +Edit C and update it to match the following text (the +only change is to the C field): # Configure SimpleDB Authentication __PACKAGE__->config->{'Plugin::Authentication'} = { @@ -844,9 +852,9 @@ flash vs. the C query parameter: ... Although the sample above only shows the C div, leave the -rest of the file intact -- the only change we made to the C -was to add "C<|| c.request.params.status_msg>" to the -Cspan class="message"E> line. +rest of the file intact -- the only change we made to replace +"|| c.request.params.status_msg" with "c.flash.status_msg" in the +C<< >> line. =head2 Try Out Flash @@ -879,7 +887,7 @@ C<__PACKAGE__-Econfig> setting to something like: __PACKAGE__->config( name => 'MyApp', - session => {flash_to_stash => 1} + session => {flash_to_stash => 1}, ); B add the following to C: @@ -910,7 +918,7 @@ Kennedy Clark, C Please report any errors, issues or suggestions to the author. The most recent version of the Catalyst Tutorial can be found at -L. +L. Copyright 2006-2008, Kennedy Clark, under Creative Commons License (L).