X-Git-Url: http://git.ieval.ro/?a=blobdiff_plain;f=lib%2FPlack%2FMiddleware%2FAuth%2FComplex.pm;h=59d9bc3b8df46972f6fb2d59c5afc081e09fc880;hb=61456017abf30a3c00c25b53ac7ca4c8c90741eb;hp=ac70da693554a5aec710f194b3e386ba93fcf874;hpb=d332726d5726e639bc597493c3db9e79fe5a0174;p=plack-middleware-auth-complex.git diff --git a/lib/Plack/Middleware/Auth/Complex.pm b/lib/Plack/Middleware/Auth/Complex.pm index ac70da6..59d9bc3 100644 --- a/lib/Plack/Middleware/Auth/Complex.pm +++ b/lib/Plack/Middleware/Auth/Complex.pm @@ -4,15 +4,17 @@ use 5.014000; use strict; use warnings; -our $VERSION = '0.001'; +our $VERSION = '0.002'; use parent qw/Plack::Middleware/; use re '/s'; use Authen::Passphrase; use Authen::Passphrase::BlowfishCrypt; -use Bytes::Random::Secure qw/random_bytes/; -use Carp qw/croak/; +use Data::Entropy qw/entropy_source/; +use Data::Entropy::Source; +use Data::Entropy::RawSource::Local; +use Carp qw/carp croak/; use DBI; use Digest::SHA qw/hmac_sha1_base64 sha256/; use Email::Simple; @@ -21,6 +23,18 @@ use MIME::Base64 qw/decode_base64/; use Plack::Request; use Tie::Hash::Expire; +sub make_entropy_source { + if (-e '/dev/urandom') { + Data::Entropy::Source->new( + Data::Entropy::RawSource::Local->new('/dev/urandom'), + 'sysread' + ) + } else { + carp "/dev/urandom not found, using insecure random source\n"; + entropy_source + } +} + sub default_opts {( dbi_connect => ['dbi:Pg:', '', ''], select_user => 'SELECT passphrase, email FROM users WHERE id = ?', @@ -32,6 +46,7 @@ sub default_opts {( cache_max_age => 5 * 60, token_max_age => 60 * 60, username_regex => qr/^\w{2,20}$/as, + invalid_username => 'Invalid username', register_url => '/action/register', passwd_url => '/action/passwd', request_reset_url => '/action/request-reset', @@ -42,6 +57,7 @@ sub new { my ($class, $opts) = @_; my %self = $class->default_opts; %self = (%self, %$opts); + $self{entropy_source} //= make_entropy_source; my $self = bless \%self, $class; $self } @@ -99,7 +115,7 @@ sub set_passphrase { sub make_reset_hmac { my ($self, $username, @data) = @_; - $self->{hmackey} //= random_bytes 512; # uncoverable condition false + $self->{hmackey} //= $self->{entropy_source}->get_bits(8 * 512); # uncoverable condition false my $user = $self->get_user($username); my $message = join ' ', $username, $user->{passphrase}, @data; hmac_sha1_base64 $message, $self->{hmackey}; @@ -176,7 +192,7 @@ sub call_register { return $self->bad_request("Missing parameter $_") unless $parms{$_}; } - return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ $self->{username_regex}; + return $self->bad_request($self->{invalid_username}) unless $parms{username} =~ $self->{username_regex}; return $self->bad_request('Username already in use') if $self->get_user($parms{username}); return $self->bad_request('The two passwords do not match') unless $parms{password} eq $parms{confirm_password}; @@ -331,6 +347,14 @@ This URL performs a password reset. Arrayref of arguments to pass to DBI->connect. Defaults to C<['dbi:Pg', '', '']>. +=item entropy_source + +C object to get random numbers from. By default +uses F via C if +possible, or the default entropy source otherwise. A warning is +printed if the default entropy source is used, to supress it set this +argument to the default entropy source. + =item post_connect_cb Callback (coderef) that is called just after connecting to the @@ -391,6 +415,11 @@ Password reset token validity, in seconds. Defaults to 1 hour. Regular expression that matches valid usernames. Defaults to C. +=item invalid_username + +Error message returned when the username does not match +username_regex. Defaults to C<'Invalid username'> + =item register_url URL for registering. Defaults to C<'/action/register'>. @@ -513,7 +542,7 @@ Marius Gavrilescu, Emarius@ieval.roE =head1 COPYRIGHT AND LICENSE -Copyright (C) 2015 by Marius Gavrilescu +Copyright (C) 2015-2017 by Marius Gavrilescu This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.20.1 or,