use Digest::MD5 qw(md5_hex);
use CGI::Ex;
-$VERSION = '2.19';
+$VERSION = '2.24';
###----------------------------------------------------------------###
local $self->{'no_cookie_verify'} = 1;
$self->check_valid_auth; # verify the logout so we can capture the username if possible
+ $self->logout_hook;
+
if ($self->bounce_on_logout) {
my $key_c = $self->key_cookie;
$self->delete_cookie({key => $key_c}) if $self->cookies->{$key_c};
next if ! defined $hash->{$key};
last if ! $is_form && $had_form_data; # if form info was passed in - we must use it only
$had_form_data = 1 if $is_form;
+ next if ! length $hash->{$key};
### if it looks like a bare username (as in they didn't have javascript) - add in other items
my $data;
user => delete $hash->{$key},
test_pass => delete $hash->{ $self->key_pass },
expires_min => delete($hash->{ $self->key_save }) ? -1 : delete($hash->{ $self->key_expires_min }) || $self->expires_min,
- payload => delete $hash->{ $self->key_payload } || '',
},
from => 'form',
}) || next;
}
### generate a fresh cookie if they submitted info on plaintext types
- if ($self->use_plaintext || ($data->{'type'} && $data->{'type'} eq 'crypt')) {
+ if ($is_form
+ && ($self->use_plaintext || ($data->{'type'} && $data->{'type'} eq 'crypt'))) {
$self->set_cookie({
key => $self->key_cookie,
val => $self->generate_token($data),
no_expires => ($data->{ $self->key_save } ? 0 : 1), # make it a session cookie unless they ask for saving
- }) if $is_form; # only set the cookie if we found info in the form - the cookie will be a session cookie after that
+ });
### always generate a cookie on types that have expiration
} else {
### if they have cookies we are done
} elsif (scalar(keys %{$self->cookies}) || $self->no_cookie_verify) {
+ $self->success_hook;
return $self;
### need to verify cookies are set-able
}
}
+sub success_hook {
+ my $self = shift;
+ if (my $meth = $self->{'success_hook'}) {
+ return $meth->($self);
+ }
+ return;
+}
+
+sub logout_hook {
+ my $self = shift;
+ if (my $meth = $self->{'logout_hook'}) {
+ return $meth->($self);
+ }
+ return;
+}
+
sub handle_failure {
my $self = shift;
my $args = shift || {};
### allow for a sleep to help prevent brute force
sleep($self->failed_sleep) if defined($data) && $data->error ne 'Login expired' && $self->failed_sleep;
+ $self->failure_hook;
return;
}
+sub failure_hook {
+ my $self = shift;
+ if (my $meth = $self->{'failure_hook'}) {
+ return $meth->($self);
+ }
+ return;
+}
+
sub check_valid_auth {
my $self = shift;
$self = $self->new(@_) if ! ref $self;
sub form_name { shift->{'form_name'} ||= 'cea_form' }
sub key_verify { shift->{'key_verify'} ||= 'cea_verify' }
sub key_redirect { shift->{'key_redirect'} ||= 'cea_redirect' }
-sub key_payload { shift->{'key_payload'} ||= 'cea_payload' }
sub key_loggedout { shift->{'key_loggedout'} ||= 'loggedout' }
sub bounce_on_logout { shift->{'bounce_on_logout'} ||= 0 }
sub secure_hash_keys { shift->{'secure_hash_keys'} ||= [] }
sub use_base64 { my $s = shift; $s->{'use_base64'} = 1 if ! defined $s->{'use_base64'}; $s->{'use_base64'} }
sub expires_min { my $s = shift; $s->{'expires_min'} = 6 * 60 if ! defined $s->{'expires_min'}; $s->{'expires_min'} }
sub failed_sleep { shift->{'failed_sleep'} ||= 0 }
+sub disable_simple_cram { shift->{'disable_simple_cram'} }
sub logout_redirect {
my ($self, $user) = @_;
sub login_print {
my $self = shift;
my $hash = $self->login_hash_common;
- my $template = $self->login_template;
+ my $file = $self->login_template;
### allow for a hooked override
if (my $meth = $self->{'login_print'}) {
- $meth->($self, $template, $hash);
+ $meth->($self, $file, $hash);
return 0;
}
### process the document
- require CGI::Ex::Template;
- my $cet = CGI::Ex::Template->new($self->template_args);
+ my $args = $self->template_args;
+ $args->{'INCLUDE_PATH'} ||= $args->{'include_path'} || $self->template_include_path,
+ my $t = $self->template_obj($args);
my $out = '';
- $cet->process_simple($template, $hash, \$out) || die $cet->error;
+ $t->process_simple($file, $hash, \$out) || die $t->error;
### fill in form fields
require CGI::Ex::Fill;
return 0;
}
-sub template_args {
- my $self = shift;
- return $self->{'template_args'} ||= {
- INCLUDE_PATH => $self->template_include_path,
+sub template_obj {
+ my ($self, $args) = @_;
+ return $self->{'template_obj'} || do {
+ require Template::Alloy;
+ Template::Alloy->new($args);
};
}
-sub template_include_path { shift->{'template_include_path'} || '' }
+sub template_args { $_[0]->{'template_args'} ||= {} }
+
+sub template_include_path { $_[0]->{'template_include_path'} || '' }
sub login_hash_common {
my $self = shift;
key_time => $self->key_time,
key_save => $self->key_save,
key_expires_min => $self->key_expires_min,
- key_payload => $self->key_payload,
key_redirect => $self->key_redirect,
form_name => $self->form_name,
script_name => $self->script_name,
path_info => $self->path_info,
md5_js_path => $self->js_uri_path ."/CGI/Ex/md5.js",
- use_plaintext => $self->use_plaintext,
$self->key_user => $data->{'user'} || '',
$self->key_pass => '', # don't allow for this to get filled into the form
$self->key_time => $self->server_time,
- $self->key_payload => $self->generate_payload({%$data, login_form => 1}),
$self->key_expires_min => $self->expires_min,
text_user => $self->text_user,
text_pass => $self->text_pass,
sub verify_token {
my $self = shift;
my $args = shift;
- my $token = delete $args->{'token'} || die "Missing token";
+ my $token = delete $args->{'token'}; die "Missing token" if ! length $token;
my $data = $self->new_auth_data({token => $token, %$args});
my $meth;
}
}
- ### looks like a normal cram
+ ### looks like a simple_cram
} elsif ($data->{'cram_time'}) {
- $data->add_data(type => 'cram');
+ $data->add_data(type => 'simple_cram');
+ die "Type simple_cram disabled during verify_password" if $self->disable_simple_cram;
my $real = $pass =~ /^[a-f0-9]{32}$/ ? lc($pass) : md5_hex($pass);
my $str = join("/", @{$data}{qw(user cram_time expires_min payload)});
my $sum = md5_hex($str .'/'. $real);
my $pass = defined($data->{'test_pass'}) ? $data->{'test_pass'} : $data->{'real_pass'};
$token = $data->{'user'} .'/'. $pass;
- ### all other types go to cram - secure_hash_cram, cram, plaintext and md5
+ ### all other types go to cram - secure_hash_cram, simple_cram, plaintext and md5
} else {
my $user = $data->{'user'} || die "Missing user";
my $real = defined($data->{'real_pass'}) ? ($data->{'real_pass'} =~ /^[a-f0-9]{32}$/ ? lc($data->{'real_pass'}) : md5_hex($data->{'real_pass'}))
die "User can not contain a \"/\." if $user =~ m|/|;
my $array;
- if (! $data->{'prefer_cram'}
+ if (! $data->{'prefer_simple_cram'}
&& ($array = eval { $self->secure_hash_keys })
&& @$array) {
my $rand1 = int(rand @$array);
my $sum = md5_hex($str .'/'. $real .('/sh.'.$array->[$rand1].'.'.$rand2));
$token = $str .'/'. $sum . '/sh.'.$rand1.'.'.$rand2;
} else {
+ die "Type simple_cram disabled during generate_token" if $self->disable_simple_cram;
my $str = join("/", $user, $self->server_time, $exp, $load);
my $sum = md5_hex($str .'/'. $real);
$token = $str .'/'. $sum;
<span class="login_error">[% error %]</span>
<form class="login_form" name="[% form_name %]" method="POST" action="[% script_name %][% path_info %]">
<input type="hidden" name="[% key_redirect %]" value="">
- <input type="hidden" name="[% key_payload %]" value="">
<input type="hidden" name="[% key_time %]" value="">
<input type="hidden" name="[% key_expires_min %]" value="">
<table class="login_table">
sub text_submit { my $self = shift; return defined($self->{'text_submit'}) ? $self->{'text_submit'} : 'Login' }
sub login_script {
- return shift->{'login_script'} || q {
- [%~ IF ! use_plaintext %]
+ my $self = shift;
+ return $self->{'login_script'} if $self->{'login_script'};
+ return '' if $self->use_plaintext || $self->disable_simple_cram;
+ return q {
<form name="[% form_name %]_jspost" style="margin:0px" method="POST">
<input type="hidden" name="[% key_user %]"><input type="hidden" name="[% key_redirect %]">
</form>
var p = f.[% key_pass %].value;
var t = f.[% key_time %].value;
var s = f.[% key_save %] && f.[% key_save %].checked ? -1 : f.[% key_expires_min %].value;
- var l = f.[% key_payload %].value;
- var str = u+'/'+t+'/'+s+'/'+l;
+ var str = u+'/'+t+'/'+s+'/'+'';
var sum = document.md5_hex(str +'/' + document.md5_hex(p));
var f2 = document.[% form_name %]_jspost;
return false;
}
</script>
- [% END ~%]
};
}
=head1 DESCRIPTION
-CGI::Ex::Auth allows for auto-expiring, safe and easy web based logins. Auth uses
-javascript modules that perform MD5 hashing to cram the password on
-the client side before passing them through the internet.
+CGI::Ex::Auth allows for auto-expiring, safe and easy web based
+logins. Auth uses javascript modules that perform MD5 hashing to cram
+the password on the client side before passing them through the
+internet.
-For the stored cookie you can choose to use cram mechanisms,
+For the stored cookie you can choose to use simple cram mechanisms,
secure hash cram tokens, auto expiring logins (not cookie based),
and Crypt::Blowfish protection. You can also choose to keep
passwords plaintext and to use perl's crypt for testing
passwords.
-A downside to this module is that it does not use a session to
-preserve state so get_pass_by_user has to happen on every request (any
-authenticated area has to verify authentication each time). A plus is
-that you don't need to use a session if you don't want to. It is up
-to the interested reader to add caching to the get_pass_by_user
+A theoretical downside to this module is that it does not use a
+session to preserve state so get_pass_by_user has to happen on every
+request (any authenticated area has to verify authentication each
+time). In theory you should be checking the password everytime a user
+makes a request to make sure the password is still valid. A definite
+plus is that you don't need to use a session if you don't want to. It
+is up to the interested reader to add caching to the get_pass_by_user
method.
+In the end, the only truly secure login method is across an https
+connection. Any connection across non-https (non-secure) is
+susceptible to cookie hijacking or tcp hijacking - though the
+possibility of this is normally small and typically requires access to
+a machine somewhere in your TCP chain. If in doubt - you should try
+to use https.
+
=head1 METHODS
=over 4
get_pass_by_user => \&my_pass_sub,
key_user => 'my_user',
key_pass => 'my_pass',
- login_template => \"<form><input name=my_user ... </form>",
+ login_header => \"<h1>My Login</h1>",
});
The following methods will look for properties of the same name. Each of these will be
-defined separately.
+described separately.
cgix
cleanup_user
key_expires_min
key_logout
key_pass
- key_payload
key_redirect
key_save
key_time
login_template
handle_success
handle_failure
+ success_hook
+ failure_hook
+ logout_hook
no_cookie_verify
path_info
script_name
secure_hash_keys
template_args
template_include_path
+ template_obj
text_user
text_pass
text_save
types.
payload - a payload that will be passed to generate_payload and then
will be added to cram type tokens. It cannot contain a /.
- prefer_cram - If the secure_hash_keys method returns keys, and it is a non-plaintext
+ prefer_simple_cram
+ - If the secure_hash_keys method returns keys, and it is a non-plaintext
token, generate_token will create a secure_hash_cram. Set
- this value to true to tell it to use a normal cram. This
+ this value to true to tell it to use a simple_cram. This
is generally only useful in testing.
The following are types of tokens that can be generated by generate_token. Each type includes
of the password but the get_pass_by_user hook returns the crypt'ed password, the
token will not be able to be verified.
- cram:
+ simple_cram:
user := "paul"
real_pass := "123qwe"
server_time := 1148512991 # a time in seconds since epoch
key_pass # $self->key_pass, # the password fieldname
key_time # $self->key_time, # the server time field name
key_save # $self->key_save, # the save password checkbox field name
- key_payload # $self->key_payload, # the payload fieldname
key_redirect # $self->key_redirect, # the redirect fieldname
form_name # $self->form_name, # the name of the form
script_name # $self->script_name, # where the server will post back to
path_info # $self->path_info, # $ENV{PATH_INFO} if any
md5_js_path # $self->js_uri_path ."/CGI/Ex/md5.js", # script for cramming
- use_plaintext # $self->use_plaintext, # used to avoid cramming
$self->key_user # $data->{'user'}, # the username (if any)
$self->key_pass # '', # intentional blankout
$self->key_time # $self->server_time, # the server's time
- $self->key_payload # $data->{'payload'} # the payload (if any)
$self->key_expires_min # $self->expires_min # how many minutes crams are valid
text_user # $self->text_user # template text Username:
text_pass # $self->text_pass # template text Password:
text_pass "Password:"
text_save "Save Password ?"
+=item C<disable_simple_cram>
+
+Disables simple cram type from being an available type. Default is
+false. If set, then one of use_plaintext, use_crypt, or
+secure_hash_keys should be set. Setting this option allows for
+payloads to be generated by the server only - otherwise a user who
+understands the algorithm could generate a valid simple_cram cookie
+with a custom payload.
+
+Another option would be to only accept payloads from tokens if use_blowfish
+is set and armor was equal to "blowfish."
+
=back
=head1 LICENSE
projects / chaz / p5-CGI-Ex / blobdiff