use strict;
use warnings;
-our $VERSION = '0.000_001';
-$VERSION = eval $VERSION; # see L<perlmodstyle>
+our $VERSION = '0.001';
use parent qw/Plack::Middleware/;
+use re '/s';
use Authen::Passphrase;
use Authen::Passphrase::BlowfishCrypt;
use Bytes::Random::Secure qw/random_bytes/;
+use Carp qw/croak/;
use DBI;
-use Digest::SHA qw/hmac_sha1_base64/;
+use Digest::SHA qw/hmac_sha1_base64 sha256/;
use Email::Simple;
use Email::Sender::Simple qw/sendmail/;
use MIME::Base64 qw/decode_base64/;
use Plack::Request;
+use Tie::Hash::Expire;
sub default_opts {(
dbi_connect => ['dbi:Pg:', '', ''],
insert_user => 'INSERT INTO users (id, passphrase, email) VALUES (?,?,?)',
mail_subject => 'Password reset token',
realm => 'restricted area',
- token_max_age => 60 * 60 * 24,
- username_regex => qr/^\w{2,20}$/a,
- register_url => '/register',
- passwd_url => '/passwd',
- request_reset_url => '/request-reset',
- reset_url => '/reset'
+ cache_fail => 0,
+ cache_max_age => 5 * 60,
+ token_max_age => 60 * 60,
+ username_regex => qr/^\w{2,20}$/as,
+ register_url => '/action/register',
+ passwd_url => '/action/passwd',
+ request_reset_url => '/action/request-reset',
+ reset_url => '/action/reset'
)}
sub new {
sub init {
my ($self) = @_;
- $self->{dbh} = DBI->connect(@{$self->{dbi_connect}}) or die $DBI::errstr;
- $self->{post_connect_cb}->($self) if $self->{post_connect_cb};
- $self->{insert_sth} = $self->{dbh}->prepare($self->{insert_user}) or die $self->{dbh}->errstr;
- $self->{select_sth} = $self->{dbh}->prepare($self->{select_user}) or die $self->{dbh}->errstr;
- $self->{update_sth} = $self->{dbh}->prepare($self->{update_pass}) or die $self->{dbh}->errstr;
+ $self->{dbh} = DBI->connect(@{$self->{dbi_connect}}) or croak $DBI::errstr;
+ $self->{post_connect_cb}->($self) if $self->{post_connect_cb}; # uncoverable branch false
+ $self->{insert_sth} = $self->{dbh}->prepare($self->{insert_user}) or croak $self->{dbh}->errstr;
+ $self->{select_sth} = $self->{dbh}->prepare($self->{select_user}) or croak $self->{dbh}->errstr;
+ $self->{update_sth} = $self->{dbh}->prepare($self->{update_pass}) or croak $self->{dbh}->errstr;
+}
+
+sub create_user {
+ my ($self, $parms) = @_;
+ my %parms = $parms->flatten;
+ $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email}) or croak $self->{insert_sth}->errstr;
}
sub get_user {
my ($self, $user) = @_;
- $self->{select_sth}->execute($user) or die $self->{sth}->errstr;
+ $self->{select_sth}->execute($user) or croak $self->{select_sth}->errstr;
$self->{select_sth}->fetchrow_hashref
}
sub check_passphrase {
my ($self, $username, $passphrase) = @_;
+ unless ($self->{cache}) {
+ ## no critic (ProhibitTies)
+ tie my %cache, 'Tie::Hash::Expire', {expire_seconds => $self->{cache_max_age}};
+ $self->{cache} = \%cache;
+ }
+ my $cachekey = sha256 "$username:$passphrase";
+ return $self->{cache}{$cachekey} if exists $self->{cache}{$cachekey}; # uncoverable branch true
my $user = $self->get_user($username);
return 0 unless $user;
- Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase)
+ my $ret = Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase);
+ $self->{cache}{$cachekey} = $ret if $ret || $self->{cache_fail};
+ $ret
}
sub hash_passphrase {
sub set_passphrase {
my ($self, $username, $passphrase) = @_;
- $self->{update_sth}->execute($self->hash_passphrase($passphrase), $username)
+ $self->{update_sth}->execute($self->hash_passphrase($passphrase), $username) or croak $self->{update_sth}->errstr;
}
sub make_reset_hmac {
my ($self, $username, @data) = @_;
- $self->{hmackey} //= random_bytes 512;
+ $self->{hmackey} //= random_bytes 512; # uncoverable condition false
my $user = $self->get_user($username);
my $message = join ' ', $username, $user->{passphrase}, @data;
hmac_sha1_base64 $message, $self->{hmackey};
sub mail_body {
my ($self, $username, $token) = @_;
my $hours = $self->{token_max_age} / 60 / 60;
- $hours .= $hours == 1 ? ' hour' : ' hours';
- <<EOF;
+ $hours .= $hours == 1 ? ' hour' : ' hours'; # uncoverable branch false
+ <<"EOF";
Someone has requested a password reset for your account.
To reset your password, please submit the reset password form on the
header => [
From => $self->{mail_from},
To => $user->{email},
- Subject => $user->{mail_subject},
+ Subject => $self->{mail_subject},
],
body => $self->mail_body($username, $token),
));
return $self->bad_request("Missing parameter $_") unless $parms{$_};
}
- return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ /$self->{username_regex}/;
+ return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ $self->{username_regex};
return $self->bad_request('Username already in use') if $self->get_user($parms{username});
return $self->bad_request('The two passwords do not match') unless $parms{password} eq $parms{confirm_password};
- $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email});
+
+ $self->create_user($req->parameters);
return $self->reply('Registered successfully')
}
return $self->internal_server_error('Password resets are disabled') unless $self->{mail_from};
my $username = $req->param('username');
my $user = $self->get_user($username) or return $self->bad_request('No such user');
- my $ok = 0;
eval {
$self->send_reset_email($username);
- $ok = 1;
- };
- return $self->reply('Email sent') if $ok;
- return $self->internal_server_error($@);
+ 1
+ } or return $self->internal_server_error($@);
+ $self->reply('Email sent');
}
sub call_reset {
my $user = $self->get_user($parms{username}) or return $self->bad_request('No such user');
return $self->bad_request('The two passwords do not match') unless $parms{new_password} eq $parms{confirm_new_password};
- my ($token, $exp) = split ':', $parms{token};
+ my ($token, $exp) = split /:/, $parms{token};
my $goodtoken = $self->make_reset_hmac($parms{username}, $exp);
return $self->bad_request('Bad reset token') unless $token eq $goodtoken;
return $self->bad_request('Reset token has expired') if time >= $exp;
AuthComplex sets REMOTE_USER if the request includes correct basic
authentication and intercepts POST requests to some configurable URLs.
-It also sets C<$env->{authcomplex}> to itself before passing the
+It also sets C<< $env->{authcomplex} >> to itself before passing the
request.
Some options can be controlled by passing a hashref to the
=over
-=item B<POST> /register?username=user&password=pw&confirm_password=pw&email=user@example.org
+=item B<POST> /action/register?username=user&password=pw&confirm_password=pw&email=user@example.org
This URL creates a new user with the given username, password and
email. The two passwords must match, the user must match
C<username_regex> and the user must not already exist.
-=item B<POST> /passwd?password=oldpw&new_password=newpw&confirm_new_password=newpw
+=item B<POST> /action/passwd?password=oldpw&new_password=newpw&confirm_new_password=newpw
This URL changes the password of a user. The user must be
authenticated (otherwise the endpoint will return 401).
-=item B<POST> /request-reset?username=user
+=item B<POST> /action/request-reset?username=user
This URL requests a password reset token for the given user. The token
will be sent to the user's email address.
A reset token in the default implementation is C<< base64(HMAC-SHA1("$username $passphrase $expiration_unix_time")) . ":$expiration_user_time" >>.
-=item B<POST> /reset?username=user&new_password=pw&confirm_new_password=pw&token=token
+=item B<POST> /action/reset?username=user&new_password=pw&confirm_new_password=pw&token=token
This URL performs a password reset.
Authentication realm. Defaults to C<'restricted area'>.
+=item cache_fail
+
+If true, all authentication results are cached. If false, only
+successful logins are cached. Defaults to false.
+
+=item cache_max_age
+
+Authentication cache timeout, in seconds. Authentication results are
+cached for this number of seconds to avoid expensive hashing. Defaults
+to 5 minutes.
+
=item token_max_age
-Password reset token validity, in seconds. Defaults to 24 hours.
+Password reset token validity, in seconds. Defaults to 1 hour.
=item username_regex
Regular expression that matches valid usernames. Defaults to
-C<qr/^\w{2,20}$/a>.
+C<qr/^\w{2,20}$/as>.
=item register_url
-URL for registering. Defaults to C<'/register'>.
+URL for registering. Defaults to C<'/action/register'>.
=item passwd_url
-URL for changing your password. Defaults to C<'/passwd'>.
+URL for changing your password. Defaults to C<'/action/passwd'>.
=item request_reset_url
URL for requesting a password reset token by email. Defaults to
-C<'/request-reset'>.
+C<'/action/request-reset'>.
=item reset_url
URL for resetting your password with a reset token. Defaults to
-C<'/reset'>.
+C<'/action/reset'>.
=back
connects to the database, calls C<post_connect_cb> and prepares the
SQL statements.
+=item B<create_user>(I<$parms>)
+
+Inserts a new user into the database. I<$parms> is a
+L<Hash::MultiValue> object containing the request parameters.
+
=item B<get_user>(I<$username>)
Returns a hashref with (at least) the following keys: passphrase (the