X-Git-Url: http://git.ieval.ro/?a=blobdiff_plain;f=lib%2FPlack%2FMiddleware%2FAuth%2FComplex.pm;h=fe545482597db1e9ed2c1f1e8737b61842c69550;hb=9d9f40679564ebf365c9e4eaa47c0d2a550b16b4;hp=920810c2ffb392407b6d1975b12575c99310ecba;hpb=388ed2817a2e23c00f50d3d74d71c96c3d466a5a;p=plack-middleware-auth-complex.git diff --git a/lib/Plack/Middleware/Auth/Complex.pm b/lib/Plack/Middleware/Auth/Complex.pm index 920810c..fe54548 100644 --- a/lib/Plack/Middleware/Auth/Complex.pm +++ b/lib/Plack/Middleware/Auth/Complex.pm @@ -13,11 +13,12 @@ use Authen::Passphrase; use Authen::Passphrase::BlowfishCrypt; use Bytes::Random::Secure qw/random_bytes/; use DBI; -use Digest::SHA qw/hmac_sha1_base64/; +use Digest::SHA qw/hmac_sha1_base64 sha256/; use Email::Simple; use Email::Sender::Simple qw/sendmail/; use MIME::Base64 qw/decode_base64/; use Plack::Request; +use Tie::Hash::Expire; sub default_opts {( dbi_connect => ['dbi:Pg:', '', ''], @@ -26,7 +27,9 @@ sub default_opts {( insert_user => 'INSERT INTO users (id, passphrase, email) VALUES (?,?,?)', mail_subject => 'Password reset token', realm => 'restricted area', - token_max_age => 60 * 60 * 24, + cache_fail => 0, + cache_max_age => 5 * 60, + token_max_age => 60 * 60, username_regex => qr/^\w{2,20}$/a, register_url => '/action/register', passwd_url => '/action/passwd', @@ -46,12 +49,18 @@ sub new { sub init { my ($self) = @_; $self->{dbh} = DBI->connect(@{$self->{dbi_connect}}) or die $DBI::errstr; - $self->{post_connect_cb}->($self) if $self->{post_connect_cb}; + $self->{post_connect_cb}->($self) if $self->{post_connect_cb}; # uncoverable branch false $self->{insert_sth} = $self->{dbh}->prepare($self->{insert_user}) or die $self->{dbh}->errstr; $self->{select_sth} = $self->{dbh}->prepare($self->{select_user}) or die $self->{dbh}->errstr; $self->{update_sth} = $self->{dbh}->prepare($self->{update_pass}) or die $self->{dbh}->errstr; } +sub create_user { + my ($self, $parms) = @_; + my %parms = $parms->flatten; + $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email}) +} + sub get_user { my ($self, $user) = @_; $self->{select_sth}->execute($user) or die $self->{sth}->errstr; @@ -60,9 +69,17 @@ sub get_user { sub check_passphrase { my ($self, $username, $passphrase) = @_; + unless ($self->{cache}) { + tie my %cache, 'Tie::Hash::Expire', {expire_seconds => $self->{cache_max_age}}; + $self->{cache} = \%cache; + } + my $cachekey = sha256 "$username:$passphrase"; + return $self->{cache}{$cachekey} if exists $self->{cache}{$cachekey}; # uncoverable branch true my $user = $self->get_user($username); return 0 unless $user; - Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase) + my $ret = Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase); + $self->{cache}{$cachekey} = $ret if $ret || $self->{cache_fail}; + $ret } sub hash_passphrase { @@ -81,7 +98,7 @@ sub set_passphrase { sub make_reset_hmac { my ($self, $username, @data) = @_; - $self->{hmackey} //= random_bytes 512; + $self->{hmackey} //= random_bytes 512; # uncoverable condition false my $user = $self->get_user($username); my $message = join ' ', $username, $user->{passphrase}, @data; hmac_sha1_base64 $message, $self->{hmackey}; @@ -90,7 +107,7 @@ sub make_reset_hmac { sub mail_body { my ($self, $username, $token) = @_; my $hours = $self->{token_max_age} / 60 / 60; - $hours .= $hours == 1 ? ' hour' : ' hours'; + $hours .= $hours == 1 ? ' hour' : ' hours'; # uncoverable branch false < [ From => $self->{mail_from}, To => $user->{email}, - Subject => $user->{mail_subject}, + Subject => $self->{mail_subject}, ], body => $self->mail_body($username, $token), )); @@ -161,7 +178,8 @@ sub call_register { return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ /$self->{username_regex}/; return $self->bad_request('Username already in use') if $self->get_user($parms{username}); return $self->bad_request('The two passwords do not match') unless $parms{password} eq $parms{confirm_password}; - $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email}); + + $self->create_user($req->parameters); return $self->reply('Registered successfully') } @@ -259,7 +277,7 @@ allows user registration, password changing and password reset. AuthComplex sets REMOTE_USER if the request includes correct basic authentication and intercepts POST requests to some configurable URLs. -It also sets C<$env->{authcomplex}> to itself before passing the +It also sets C<< $env->{authcomplex} >> to itself before passing the request. Some options can be controlled by passing a hashref to the @@ -348,9 +366,20 @@ C<'Password reset token'>. Authentication realm. Defaults to C<'restricted area'>. +=item cache_fail + +If true, all authentication results are cached. If false, only +successful logins are cached. Defaults to false. + +=item cache_max_age + +Authentication cache timeout, in seconds. Authentication results are +cached for this number of seconds to avoid expensive hashing. Defaults +to 5 minutes. + =item token_max_age -Password reset token validity, in seconds. Defaults to 24 hours. +Password reset token validity, in seconds. Defaults to 1 hour. =item username_regex @@ -395,6 +424,11 @@ Called at the end of the constructor. The default implementation connects to the database, calls C and prepares the SQL statements. +=item B(I<$parms>) + +Inserts a new user into the database. I<$parms> is a +L object containing the request parameters. + =item B(I<$username>) Returns a hashref with (at least) the following keys: passphrase (the