From 4c1b8033b07680fc1ee1cdd4f515ca89545b22c4 Mon Sep 17 00:00:00 2001 From: Marius Gavrilescu Date: Sun, 1 Mar 2015 13:13:53 +0200 Subject: [PATCH] Add authentication cache --- Makefile.PL | 3 ++- lib/Plack/Middleware/Auth/Complex.pm | 26 ++++++++++++++++++++++++-- t/Plack-Middleware-Auth-Complex.t | 9 +++++++-- 3 files changed, 33 insertions(+), 5 deletions(-) diff --git a/Makefile.PL b/Makefile.PL index 3d96b1a..21ef80a 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -21,7 +21,8 @@ WriteMakefile( DBI 0 Email::Simple 0 Email::Sender::Simple 0 - Plack::Request 0/, + Plack::Request 0 + Tie::Hash::Expire 0/, }, META_MERGE => { dynamic_config => 0, diff --git a/lib/Plack/Middleware/Auth/Complex.pm b/lib/Plack/Middleware/Auth/Complex.pm index 920810c..55fc5ee 100644 --- a/lib/Plack/Middleware/Auth/Complex.pm +++ b/lib/Plack/Middleware/Auth/Complex.pm @@ -13,11 +13,12 @@ use Authen::Passphrase; use Authen::Passphrase::BlowfishCrypt; use Bytes::Random::Secure qw/random_bytes/; use DBI; -use Digest::SHA qw/hmac_sha1_base64/; +use Digest::SHA qw/hmac_sha1_base64 sha256/; use Email::Simple; use Email::Sender::Simple qw/sendmail/; use MIME::Base64 qw/decode_base64/; use Plack::Request; +use Tie::Hash::Expire; sub default_opts {( dbi_connect => ['dbi:Pg:', '', ''], @@ -26,6 +27,8 @@ sub default_opts {( insert_user => 'INSERT INTO users (id, passphrase, email) VALUES (?,?,?)', mail_subject => 'Password reset token', realm => 'restricted area', + cache_fail => 0, + cache_max_age => 5 * 60, token_max_age => 60 * 60 * 24, username_regex => qr/^\w{2,20}$/a, register_url => '/action/register', @@ -60,9 +63,17 @@ sub get_user { sub check_passphrase { my ($self, $username, $passphrase) = @_; + unless ($self->{cache}) { + tie my %cache, 'Tie::Hash::Expire', {expire_seconds => $self->{cache_max_age}}; + $self->{cache} = \%cache; + } + my $cachekey = sha256 "$username:$passphrase"; + return $self->{cache}{$cachekey} if exists $self->{cache}{$cachekey}; my $user = $self->get_user($username); return 0 unless $user; - Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase) + my $ret = Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase); + $self->{cache}{$cachekey} = $ret if $ret || $self->{cache_fail}; + $ret } sub hash_passphrase { @@ -348,6 +359,17 @@ C<'Password reset token'>. Authentication realm. Defaults to C<'restricted area'>. +=item cache_fail + +If true, all authentication results are cached. If false, only +successful logins are cached. Defaults to false. + +=item cache_max_age + +Authentication cache timeout, in seconds. Authentication results are +cached for this number of seconds to avoid expensive hashing. Defaults +to 5 minutes. + =item token_max_age Password reset token validity, in seconds. Defaults to 24 hours. diff --git a/t/Plack-Middleware-Auth-Complex.t b/t/Plack-Middleware-Auth-Complex.t index 956ee67..5b42232 100644 --- a/t/Plack-Middleware-Auth-Complex.t +++ b/t/Plack-Middleware-Auth-Complex.t @@ -30,8 +30,13 @@ sub is_http { my $create_table = 'CREATE TABLE users (id TEXT PRIMARY KEY, passphrase TEXT, email TEXT)'; my $ac = Plack::Middleware::Auth::Complex->new({ - dbi_connect => ['dbi:SQLite:dbname=:memory:'], - post_connect_cb => sub { shift->{dbh}->do($create_table) }, + dbi_connect => ['dbi:SQLite:dbname=:memory:'], + post_connect_cb => sub { shift->{dbh}->do($create_table) }, + register_url => '/register', + passwd_url => '/passwd', + request_reset_url => '/request-reset', + reset_url => '/reset', + cache_max_age => 0, }); my $app = $ac->wrap(\&app); -- 2.39.2