X-Git-Url: http://git.ieval.ro/?p=plack-middleware-auth-complex.git;a=blobdiff_plain;f=lib%2FPlack%2FMiddleware%2FAuth%2FComplex.pm;h=4436e5a81321c59b827140f55e22f2efe84ac677;hp=920810c2ffb392407b6d1975b12575c99310ecba;hb=51912257b1a84ebc1a55dd80cd9e27ea4c42dd35;hpb=388ed2817a2e23c00f50d3d74d71c96c3d466a5a diff --git a/lib/Plack/Middleware/Auth/Complex.pm b/lib/Plack/Middleware/Auth/Complex.pm index 920810c..4436e5a 100644 --- a/lib/Plack/Middleware/Auth/Complex.pm +++ b/lib/Plack/Middleware/Auth/Complex.pm @@ -4,20 +4,22 @@ use 5.014000; use strict; use warnings; -our $VERSION = '0.000_001'; -$VERSION = eval $VERSION; # see L +our $VERSION = '0.001'; use parent qw/Plack::Middleware/; +use re '/s'; use Authen::Passphrase; use Authen::Passphrase::BlowfishCrypt; use Bytes::Random::Secure qw/random_bytes/; +use Carp qw/croak/; use DBI; -use Digest::SHA qw/hmac_sha1_base64/; +use Digest::SHA qw/hmac_sha1_base64 sha256/; use Email::Simple; use Email::Sender::Simple qw/sendmail/; use MIME::Base64 qw/decode_base64/; use Plack::Request; +use Tie::Hash::Expire; sub default_opts {( dbi_connect => ['dbi:Pg:', '', ''], @@ -26,8 +28,10 @@ sub default_opts {( insert_user => 'INSERT INTO users (id, passphrase, email) VALUES (?,?,?)', mail_subject => 'Password reset token', realm => 'restricted area', - token_max_age => 60 * 60 * 24, - username_regex => qr/^\w{2,20}$/a, + cache_fail => 0, + cache_max_age => 5 * 60, + token_max_age => 60 * 60, + username_regex => qr/^\w{2,20}$/as, register_url => '/action/register', passwd_url => '/action/passwd', request_reset_url => '/action/request-reset', @@ -45,24 +49,39 @@ sub new { sub init { my ($self) = @_; - $self->{dbh} = DBI->connect(@{$self->{dbi_connect}}) or die $DBI::errstr; - $self->{post_connect_cb}->($self) if $self->{post_connect_cb}; - $self->{insert_sth} = $self->{dbh}->prepare($self->{insert_user}) or die $self->{dbh}->errstr; - $self->{select_sth} = $self->{dbh}->prepare($self->{select_user}) or die $self->{dbh}->errstr; - $self->{update_sth} = $self->{dbh}->prepare($self->{update_pass}) or die $self->{dbh}->errstr; + $self->{dbh} = DBI->connect(@{$self->{dbi_connect}}) or croak $DBI::errstr; + $self->{post_connect_cb}->($self) if $self->{post_connect_cb}; # uncoverable branch false + $self->{insert_sth} = $self->{dbh}->prepare($self->{insert_user}) or croak $self->{dbh}->errstr; + $self->{select_sth} = $self->{dbh}->prepare($self->{select_user}) or croak $self->{dbh}->errstr; + $self->{update_sth} = $self->{dbh}->prepare($self->{update_pass}) or croak $self->{dbh}->errstr; +} + +sub create_user { + my ($self, $parms) = @_; + my %parms = $parms->flatten; + $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email}) or croak $self->{insert_sth}->errstr; } sub get_user { my ($self, $user) = @_; - $self->{select_sth}->execute($user) or die $self->{sth}->errstr; + $self->{select_sth}->execute($user) or croak $self->{select_sth}->errstr; $self->{select_sth}->fetchrow_hashref } sub check_passphrase { my ($self, $username, $passphrase) = @_; + unless ($self->{cache}) { + ## no critic (ProhibitTies) + tie my %cache, 'Tie::Hash::Expire', {expire_seconds => $self->{cache_max_age}}; + $self->{cache} = \%cache; + } + my $cachekey = sha256 "$username:$passphrase"; + return $self->{cache}{$cachekey} if exists $self->{cache}{$cachekey}; # uncoverable branch true my $user = $self->get_user($username); return 0 unless $user; - Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase) + my $ret = Authen::Passphrase->from_rfc2307($user->{passphrase})->match($passphrase); + $self->{cache}{$cachekey} = $ret if $ret || $self->{cache_fail}; + $ret } sub hash_passphrase { @@ -76,12 +95,12 @@ sub hash_passphrase { sub set_passphrase { my ($self, $username, $passphrase) = @_; - $self->{update_sth}->execute($self->hash_passphrase($passphrase), $username) + $self->{update_sth}->execute($self->hash_passphrase($passphrase), $username) or croak $self->{update_sth}->errstr; } sub make_reset_hmac { my ($self, $username, @data) = @_; - $self->{hmackey} //= random_bytes 512; + $self->{hmackey} //= random_bytes 512; # uncoverable condition false my $user = $self->get_user($username); my $message = join ' ', $username, $user->{passphrase}, @data; hmac_sha1_base64 $message, $self->{hmackey}; @@ -90,8 +109,8 @@ sub make_reset_hmac { sub mail_body { my ($self, $username, $token) = @_; my $hours = $self->{token_max_age} / 60 / 60; - $hours .= $hours == 1 ? ' hour' : ' hours'; - < [ From => $self->{mail_from}, To => $user->{email}, - Subject => $user->{mail_subject}, + Subject => $self->{mail_subject}, ], body => $self->mail_body($username, $token), )); @@ -158,10 +177,11 @@ sub call_register { return $self->bad_request("Missing parameter $_") unless $parms{$_}; } - return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ /$self->{username_regex}/; + return $self->bad_request('Username must match ' . $self->{username_regex}) unless $parms{username} =~ $self->{username_regex}; return $self->bad_request('Username already in use') if $self->get_user($parms{username}); return $self->bad_request('The two passwords do not match') unless $parms{password} eq $parms{confirm_password}; - $self->{insert_sth}->execute($parms{username}, $self->hash_passphrase($parms{password}), $parms{email}); + + $self->create_user($req->parameters); return $self->reply('Registered successfully') } @@ -185,13 +205,11 @@ sub call_request_reset { return $self->internal_server_error('Password resets are disabled') unless $self->{mail_from}; my $username = $req->param('username'); my $user = $self->get_user($username) or return $self->bad_request('No such user'); - my $ok = 0; eval { $self->send_reset_email($username); - $ok = 1; - }; - return $self->reply('Email sent') if $ok; - return $self->internal_server_error($@); + 1 + } or return $self->internal_server_error($@); + $self->reply('Email sent'); } sub call_reset { @@ -204,7 +222,7 @@ sub call_reset { my $user = $self->get_user($parms{username}) or return $self->bad_request('No such user'); return $self->bad_request('The two passwords do not match') unless $parms{new_password} eq $parms{confirm_new_password}; - my ($token, $exp) = split ':', $parms{token}; + my ($token, $exp) = split /:/, $parms{token}; my $goodtoken = $self->make_reset_hmac($parms{username}, $exp); return $self->bad_request('Bad reset token') unless $token eq $goodtoken; return $self->bad_request('Reset token has expired') if time >= $exp; @@ -259,7 +277,7 @@ allows user registration, password changing and password reset. AuthComplex sets REMOTE_USER if the request includes correct basic authentication and intercepts POST requests to some configurable URLs. -It also sets C<$env->{authcomplex}> to itself before passing the +It also sets C<< $env->{authcomplex} >> to itself before passing the request. Some options can be controlled by passing a hashref to the @@ -348,14 +366,25 @@ C<'Password reset token'>. Authentication realm. Defaults to C<'restricted area'>. +=item cache_fail + +If true, all authentication results are cached. If false, only +successful logins are cached. Defaults to false. + +=item cache_max_age + +Authentication cache timeout, in seconds. Authentication results are +cached for this number of seconds to avoid expensive hashing. Defaults +to 5 minutes. + =item token_max_age -Password reset token validity, in seconds. Defaults to 24 hours. +Password reset token validity, in seconds. Defaults to 1 hour. =item username_regex Regular expression that matches valid usernames. Defaults to -C. +C. =item register_url @@ -395,6 +424,11 @@ Called at the end of the constructor. The default implementation connects to the database, calls C and prepares the SQL statements. +=item B(I<$parms>) + +Inserts a new user into the database. I<$parms> is a +L object containing the request parameters. + =item B(I<$username>) Returns a hashref with (at least) the following keys: passphrase (the