X-Git-Url: http://git.ieval.ro/?a=blobdiff_plain;f=lib%2FPlack%2FMiddleware%2FAuth%2FComplex.pm;h=55fc5ee1861579b4af2e2a6de06fc8ee5f50be2c;hb=4c1b8033b07680fc1ee1cdd4f515ca89545b22c4;hp=920810c2ffb392407b6d1975b12575c99310ecba;hpb=388ed2817a2e23c00f50d3d74d71c96c3d466a5a;p=plack-middleware-auth-complex.git

diff --git a/lib/Plack/Middleware/Auth/Complex.pm b/lib/Plack/Middleware/Auth/Complex.pm
index 920810c..55fc5ee 100644
--- a/lib/Plack/Middleware/Auth/Complex.pm
+++ b/lib/Plack/Middleware/Auth/Complex.pm
@@ -13,11 +13,12 @@ use Authen::Passphrase;
 use Authen::Passphrase::BlowfishCrypt;
 use Bytes::Random::Secure qw/random_bytes/;
 use DBI;
-use Digest::SHA qw/hmac_sha1_base64/;
+use Digest::SHA qw/hmac_sha1_base64 sha256/;
 use Email::Simple;
 use Email::Sender::Simple qw/sendmail/;
 use MIME::Base64 qw/decode_base64/;
 use Plack::Request;
+use Tie::Hash::Expire;
 
 sub default_opts {(
 	dbi_connect       => ['dbi:Pg:', '', ''],
@@ -26,6 +27,8 @@ sub default_opts {(
 	insert_user       => 'INSERT INTO users (id, passphrase, email) VALUES (?,?,?)',
 	mail_subject      => 'Password reset token',
 	realm             => 'restricted area',
+	cache_fail        => 0,
+	cache_max_age     => 5 * 60,
 	token_max_age     => 60 * 60 * 24,
 	username_regex    => qr/^\w{2,20}$/a,
 	register_url      => '/action/register',
@@ -60,9 +63,17 @@ sub get_user {
 
 sub check_passphrase {
 	my ($self, $username, $passphrase) = @_;
+	unless ($self->{cache}) {
+		tie my %cache, 'Tie::Hash::Expire', {expire_seconds => $self->{cache_max_age}};
+		$self->{cache} = \%cache;
+	}
+	my $cachekey = sha256 "$username:$passphrase";
+	return $self->{cache}{$cachekey} if exists $self->{cache}{$cachekey};
 	my $user = $self->get_user($username);
 	return 0 unless $user;
-	Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase)
+	my $ret = Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase);
+	$self->{cache}{$cachekey} = $ret if $ret || $self->{cache_fail};
+	$ret
 }
 
 sub hash_passphrase {
@@ -348,6 +359,17 @@ C<'Password reset token'>.
 
 Authentication realm. Defaults to C<'restricted area'>.
 
+=item cache_fail
+
+If true, all authentication results are cached. If false, only
+successful logins are cached. Defaults to false.
+
+=item cache_max_age
+
+Authentication cache timeout, in seconds. Authentication results are
+cached for this number of seconds to avoid expensive hashing. Defaults
+to 5 minutes.
+
 =item token_max_age
 
 Password reset token validity, in seconds. Defaults to 24 hours.