use Authen::Passphrase::BlowfishCrypt;
use Bytes::Random::Secure qw/random_bytes/;
use DBI;
-use Digest::SHA qw/hmac_sha1_base64/;
+use Digest::SHA qw/hmac_sha1_base64 sha256/;
use Email::Simple;
use Email::Sender::Simple qw/sendmail/;
use MIME::Base64 qw/decode_base64/;
use Plack::Request;
+use Tie::Hash::Expire;
sub default_opts {(
dbi_connect => ['dbi:Pg:', '', ''],
insert_user => 'INSERT INTO users (id, passphrase, email) VALUES (?,?,?)',
mail_subject => 'Password reset token',
realm => 'restricted area',
+ cache_fail => 0,
+ cache_max_age => 5 * 60,
token_max_age => 60 * 60 * 24,
username_regex => qr/^\w{2,20}$/a,
register_url => '/action/register',
$self->{update_sth} = $self->{dbh}->prepare($self->{update_pass}) or die $self->{dbh}->errstr;
}
+sub create_user {
+ my ($self, $parms) = @_;
+ my %parms = $parms->flatten;
+ $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email})
+}
+
sub get_user {
my ($self, $user) = @_;
$self->{select_sth}->execute($user) or die $self->{sth}->errstr;
sub check_passphrase {
my ($self, $username, $passphrase) = @_;
+ unless ($self->{cache}) {
+ tie my %cache, 'Tie::Hash::Expire', {expire_seconds => $self->{cache_max_age}};
+ $self->{cache} = \%cache;
+ }
+ my $cachekey = sha256 "$username:$passphrase";
+ return $self->{cache}{$cachekey} if exists $self->{cache}{$cachekey};
my $user = $self->get_user($username);
return 0 unless $user;
- Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase)
+ my $ret = Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase);
+ $self->{cache}{$cachekey} = $ret if $ret || $self->{cache_fail};
+ $ret
}
sub hash_passphrase {
header => [
From => $self->{mail_from},
To => $user->{email},
- Subject => $user->{mail_subject},
+ Subject => $self->{mail_subject},
],
body => $self->mail_body($username, $token),
));
return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ /$self->{username_regex}/;
return $self->bad_request('Username already in use') if $self->get_user($parms{username});
return $self->bad_request('The two passwords do not match') unless $parms{password} eq $parms{confirm_password};
- $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email});
+
+ $self->create_user($req->parameters);
return $self->reply('Registered successfully')
}
Authentication realm. Defaults to C<'restricted area'>.
+=item cache_fail
+
+If true, all authentication results are cached. If false, only
+successful logins are cached. Defaults to false.
+
+=item cache_max_age
+
+Authentication cache timeout, in seconds. Authentication results are
+cached for this number of seconds to avoid expensive hashing. Defaults
+to 5 minutes.
+
=item token_max_age
Password reset token validity, in seconds. Defaults to 24 hours.
connects to the database, calls C<post_connect_cb> and prepares the
SQL statements.
+=item B<create_user>(I<$parms>)
+
+Inserts a new user into the database. I<$parms> is a
+L<Hash::MultiValue> object containing the request parameters.
+
=item B<get_user>(I<$username>)
Returns a hashref with (at least) the following keys: passphrase (the