File Coverage

blib/lib/CGI/Ex/Auth.pm

Criterion	Covered	Total	%
statement	301	463	65.0
branch	168	326	51.5
condition	97	198	48.9
subroutine	70	94	74.4
pod	37	77	48.0
total	673	1158	58.1

line

stmt

bran

cond

sub

pod

time

code

package CGI::Ex::Auth;

=head1 NAME

CGI::Ex::Auth - Handle logins nicely.

=head1 VERSION

version 2.54

=cut

###----------------------------------------------------------------###

# Copyright - Paul Seamons #

# Distributed under the Perl Artistic License without warranty #

###----------------------------------------------------------------###

119177

use strict;

110

#use warnings; # TODO - investigate enabling in heavy usage scenarios

1184

use MIME::Base64 qw(encode_base64 decode_base64);

1862

165

use Digest::MD5 qw(md5_hex);

112

889

use CGI::Ex;

127

use Carp qw(croak);

16849

our $VERSION = '2.54'; # VERSION

###----------------------------------------------------------------###

sub new {

1289

my $class = shift || croak "Usage: ".__PACKAGE__."->new";

my $self = ref($_[0]) ? shift() : (@_ % 2) ? {} : {@_};

100

187

return bless {%$self}, $class;

}

sub get_valid_auth {

my $self = shift;

100

$self = $self->new(@_) if ! ref $self;

delete $self->{'_last_auth_data'};

# shortcut that will print a js file as needed (such as the md5.js)

if ($self->script_name . $self->path_info eq $self->js_uri_path . "/CGI/Ex/md5.js") {

$self->cgix->print_js('CGI/Ex/md5.js');

eval { die "Printed Javascript" };

return;

}

118

my $form = $self->form;

# allow for logout

if ($form->{$self->key_logout} && ! $self->{'_logout_looking_for_user'}) {

local $self->{'_logout_looking_for_user'} = 1;

local $self->{'no_set_cookie'} = 1;

local $self->{'no_cookie_verify'} = 1;

$self->check_valid_auth; # verify the logout so we can capture the username if possible

$self->logout_hook;

if ($self->bounce_on_logout) {

my $key_c = $self->key_cookie;

$self->delete_cookie({name => $key_c}) if $self->cookies->{$key_c};

my $user = $self->last_auth_data ? $self->last_auth_data->{'user'} : undef;

$self->location_bounce($self->logout_redirect(defined($user) ? $user : ''));

eval { die "Logging out" };

return;

} else {

$self->form({});

$self->handle_failure;

return;

}

my $data;

# look in form first

my $form_user = delete $form->{$self->key_user};

100

if (defined $form_user) {

if (delete $form->{$self->key_loggedout}) { # don't validate the form on a logout

100

$data = $self->new_auth_data({user => $form_user, error => 'Logged out'});

} elsif (defined $form->{ $self->key_pass }) {

$data = $self->verify_token({

token => {

user => $form_user,

test_pass => delete $form->{ $self->key_pass },

expires_min => delete($form->{ $self->key_save }) ? -1 : delete($form->{ $self->key_expires_min }) || undef,

from => 'form',

});

} elsif (! length $form_user) {

$data = $self->new_auth_data({user => '', error => 'Invalid user'});

} else {

$data = $self->verify_token({token => $form_user, from => 'form'});

}

# no valid form data ? look in the cookie

100

if (! ref($data) # no form

100

|| ($data->error && $data->{'allow_cookie_match'})) { # had form with error - but we can check if form user matches existing cookie

my $cookie = $self->cookies->{$self->key_cookie};

100

if (defined($cookie) && length($cookie)) {

101

my $form_data = $data;

102

$data = $self->verify_token({token => $cookie, from => 'cookie'});

103

100

if (defined $form_user) { # they had form data

104

my $user = $self->cleanup_user($form_user);

105

100

if (! $data || !$self->check_form_user_against_cookie($user, $data->{'user'}, $data)) { # but the cookie didn't match

106

$data = $self->{'_last_auth_data'} = $form_data; # restore old form data failure

107

$data->{'user'} = $user if ! defined $data->{'user'};

108

}

109

}

110

}

111

}

112

113

# failure

114

100

if (! $data) {

115

return $self->handle_failure({had_form_data => defined($form_user)});

116

}

117

118

# success

119

my $_key = $self->key_cookie;

120

my $_val = $self->generate_token($data);

121

my $use_session = $self->use_session_cookie($_key, $_val); # default false

122

100

if ($self->use_plaintext || ($data->{'type'} && $data->{'type'} eq 'crypt')) {

123

$use_session = 1 if ! defined($use_session) && ! defined($data->{'expires_min'});

124

}

125

$self->set_cookie({

126

100

107

name => $_key,

127

value => $_val,

128

expires => ($use_session ? '' : '+20y'), # non-cram cookie types are session cookies unless save was set (thus setting expires_min)

129

});

130

131

100

return $self->handle_success({is_form => ($data->{'from'} eq 'form' ? 1 : 0)});

132

}

133

134

sub handle_success {

135

my $self = shift;

136

my $args = shift || {};

137

if (my $meth = $self->{'handle_success'}) {

138

return $meth->($self, $args);

139

}

140

my $form = $self->form;

141

142

# bounce to redirect

143

if (my $redirect = $form->{ $self->key_redirect }) {

144

$self->location_bounce($redirect);

145

eval { die "Success login - bouncing to redirect" };

146

return;

147

148

# if they have cookies we are done

149

} elsif (scalar(keys %{$self->cookies}) || $self->no_cookie_verify) {

150

$self->success_hook;

151

return $self;

152

153

# need to verify cookies are set-able

154

} elsif ($args->{'is_form'}) {

155

$form->{$self->key_verify} = $self->server_time;

156

my $url = $self->script_name . $self->path_info . "?". $self->cgix->make_form($form);

157

158

$self->location_bounce($url);

159

eval { die "Success login - bouncing to test cookie" };

160

return;

161

}

162

}

163

164

sub success_hook {

165

my $self = shift;

166

if (my $meth = $self->{'success_hook'}) {

167

return $meth->($self);

168

}

169

return;

170

}

171

172

sub logout_hook {

173

my $self = shift;

174

if (my $meth = $self->{'logout_hook'}) {

175

return $meth->($self);

176

}

177

return;

178

}

179

180

sub handle_failure {

181

my $self = shift;

182

my $args = shift || {};

183

if (my $meth = $self->{'handle_failure'}) {

184

return $meth->($self, $args);

185

}

186

my $form = $self->form;

187

188

# make sure the cookie is gone

189

my $key_c = $self->key_cookie;

190

100

$self->delete_cookie({name => $key_c}) if exists $self->cookies->{$key_c};

191

192

# no valid login and we are checking for cookies - see if they have cookies

193

if (my $value = delete $form->{$self->key_verify}) {

194

if (abs(time() - $value) < 15) {

195

$self->no_cookies_print;

196

return;

197

}

198

}

199

200

# oh - you're still here - well then - ask for login credentials

201

my $key_r = $self->key_redirect;

202

local $form->{$key_r} = $form->{$key_r} || $self->script_name . $self->path_info . (scalar(keys %$form) ? "?".$self->cgix->make_form($form) : '');

203

100

local $form->{'had_form_data'} = $args->{'had_form_data'} || 0;

204

$self->login_print;

205

my $data = $self->last_auth_data;

206

100

eval { die defined($data) ? $data : "Requesting credentials" };

207

208

# allow for a sleep to help prevent brute force

209

sleep($self->failed_sleep) if defined($data) && $data->error ne 'Login expired' && $self->failed_sleep;

210

$self->failure_hook;

211

212

return;

213

}

214

215

sub failure_hook {

216

my $self = shift;

217

if (my $meth = $self->{'failure_hook'}) {

218

return $meth->($self);

219

}

220

return;

221

}

222

223

sub check_valid_auth {

224

my $self = shift;

225

$self = $self->new(@_) if ! ref $self;

226

227

local $self->{'location_bounce'} = sub {}; # but don't bounce to other locations

228

local $self->{'login_print'} = sub {}; # check only - don't login if not

229

local $self->{'set_cookie'} = $self->{'no_set_cookie'} ? sub {} : $self->{'set_cookie'};

230

return $self->get_valid_auth;

231

}

232

233

###----------------------------------------------------------------###

234

235

sub script_name { shift->{'script_name'} || $ENV{'SCRIPT_NAME'} || '' }

236

237

334

sub path_info { shift->{'path_info'} || $ENV{'PATH_INFO'} || '' }

238

239

sub server_time { time }

240

241

sub cgix {

242

my $self = shift;

243

$self->{'cgix'} = shift if @_ == 1;

244

return $self->{'cgix'} ||= CGI::Ex->new;

245

}

246

247

sub form {

248

my $self = shift;

249

110

$self->{'form'} = shift if @_ == 1;

250

128

return $self->{'form'} ||= $self->cgix->get_form;

251

}

252

253

sub cookies {

254

my $self = shift;

255

$self->{'cookies'} = shift if @_ == 1;

256

161

return $self->{'cookies'} ||= $self->cgix->get_cookies;

257

}

258

259

sub delete_cookie {

260

my $self = shift;

261

my $args = shift;

262

return $self->{'delete_cookie'}->($self, $args) if $self->{'delete_cookie'};

263

local $args->{'value'} = '';

264

local $args->{'expires'} = '-10y';

265

if (my $dom = $ENV{HTTP_HOST}) {

266

$dom =~ s/:\d+$//;

267

do {

268

local $args->{'domain'} = $dom;

269

$self->set_cookie($args);

270

local $args->{'domain'} = ".$dom";

271

$self->set_cookie($args);

272

}

273

while ($dom =~ s/^[\w\-]*\.// and $dom =~ /\./);

274

}

275

$self->set_cookie($args);

276

delete $self->cookies->{$args->{'name'}};

277

}

278

279

sub set_cookie {

280

1222

my $self = shift;

281

my $args = shift;

282

100

return $self->{'set_cookie'}->($self, $args) if $self->{'set_cookie'};

283

my $key = $args->{'name'};

284

my $val = $args->{'value'};

285

my $dom = $args->{'domain'} || $self->cookie_domain;

286

my $sec = $args->{'secure'} || $self->cookie_secure;

287

my $http = $args->{'httponly'} || $self->cookie_httponly;

288

100

my $same = $args->{'samesite'} || $self->cookie_samesite;

289

$self->cgix->set_cookie({

290

-name => $key,

291

-value => $val,

292

-path => $args->{'path'} || $self->cookie_path($key, $val) || '/',

293

($dom ? (-domain => $dom) : ()),

294

($sec ? (-secure => $sec) : ()),

295

($http ? (-httponly => $http) : ()),

296

($same ? (-samesite => $same) : ()),

297

100

($args->{'expires'} ? (-expires => $args->{'expires'}): ()),

100

298

});

299

$self->cookies->{$key} = $val;

300

}

301

302

sub location_bounce {

303

my $self = shift;

304

my $url = shift;

305

return $self->{'location_bounce'}->($self, $url) if $self->{'location_bounce'};

306

return $self->cgix->location_bounce($url);

307

}

308

309

###----------------------------------------------------------------###

310

311

138

sub key_logout { shift->{'key_logout'} ||= 'cea_logout' }

312

100

104

sub key_cookie { shift->{'key_cookie'} ||= 'cea_user' }

313

100

156

sub key_user { shift->{'key_user'} ||= 'cea_user' }

314

100

139

sub key_pass { shift->{'key_pass'} ||= 'cea_pass' }

315

100

sub key_time { shift->{'key_time'} ||= 'cea_time' }

316

100

sub key_save { shift->{'key_save'} ||= 'cea_save' }

317

100

106

sub key_expires_min { shift->{'key_expires_min'} ||= 'cea_expires_min' }

318

sub form_name { shift->{'form_name'} ||= 'cea_form' }

319

sub key_verify { shift->{'key_verify'} ||= 'cea_verify' }

320

100

112

sub key_redirect { shift->{'key_redirect'} ||= 'cea_redirect' }

321

sub key_loggedout { shift->{'key_loggedout'} ||= 'loggedout' }

322

sub bounce_on_logout { shift->{'bounce_on_logout'} ||= 0 }

323

sub secure_hash_keys { shift->{'secure_hash_keys'} ||= [] }

324

#perl -e 'use Digest::MD5 qw(md5_hex); open(my $fh, "<", "/dev/urandom"); for (1..10) { read $fh, my $t, 5_000_000; print md5_hex($t),"\n"}'

325

sub no_cookie_verify { shift->{'no_cookie_verify'} ||= 0 }

326

307

sub use_crypt { shift->{'use_crypt'} ||= 0 }

327

110

sub use_blowfish { shift->{'use_blowfish'} ||= '' }

328

100

sub use_plaintext { my $s = shift; $s->use_crypt || ($s->{'use_plaintext'} ||= 0) }

329

100

sub use_base64 { my $s = shift; $s->{'use_base64'} = 1 if ! defined $s->{'use_base64'}; $s->{'use_base64'} }

330

sub expires_min { my $s = shift; $s->{'expires_min'} = 6 * 60 if ! defined $s->{'expires_min'}; $s->{'expires_min'} }

331

sub failed_sleep { shift->{'failed_sleep'} ||= 0 }

332

sub cookie_path { shift->{'cookie_path'} }

333

sub cookie_domain { shift->{'cookie_domain'} }

334

sub cookie_secure { shift->{'cookie_secure'} }

335

sub cookie_httponly { shift->{'cookie_httponly'} }

336

sub cookie_samesite { shift->{'cookie_samesite'} }

337

sub use_session_cookie { shift->{'use_session_cookie'} }

338

sub disable_simple_cram { shift->{'disable_simple_cram'} }

339

139

sub complex_plaintext { shift->{'complex_plaintext'} }

340

341

sub logout_redirect {

342

my ($self, $user) = @_;

343

my $form = $self->cgix->make_form({$self->key_loggedout => 1, (length($user) ? ($self->key_user => $user) : ()) });

344

return $self->{'logout_redirect'} || $self->script_name ."?$form";

345

}

346

347

sub js_uri_path {

348

my $self = shift;

349

108

return $self->{'js_uri_path'} ||= $self->script_name ."/js";

350

}

351

352

###----------------------------------------------------------------###

353

354

sub no_cookies_print {

355

my $self = shift;

356

return $self->{'no_cookies_print'}->($self) if $self->{'no_cookies_print'};

357

$self->cgix->print_content_type;

358

print qq{

You do not appear to have cookies enabled.

};

359

}

360

361

sub login_print {

362

my $self = shift;

363

my $hash = $self->login_hash_common;

364

my $file = $self->login_template;

365

366

### allow for a hooked override

367

if (my $meth = $self->{'login_print'}) {

368

$meth->($self, $file, $hash);

369

return 0;

370

}

371

372

### process the document

373

my $args = $self->template_args;

374

$args->{'INCLUDE_PATH'} ||= $args->{'include_path'} || $self->template_include_path,

375

my $t = $self->template_obj($args);

376

my $out = '';

377

$t->process_simple($file, $hash, \$out) || die $t->error;

378

379

### fill in form fields

380

require CGI::Ex::Fill;

381

CGI::Ex::Fill::fill({text => \$out, form => $hash});

382

383

### print it

384

$self->cgix->print_content_type;

385

print $out;

386

387

return 0;

388

}

389

390

sub template_obj {

391

my ($self, $args) = @_;

392

return $self->{'template_obj'} || do {

393

require Template::Alloy;

394

Template::Alloy->new($args);

395

};

396

}

397

398

sub template_args { $_[0]->{'template_args'} ||= {} }

399

400

sub template_include_path { $_[0]->{'template_include_path'} || '' }

401

402

sub login_hash_common {

403

my $self = shift;

404

my $form = $self->form;

405

my $data = $self->last_auth_data;

406

100

$data = {no_data => 1} if ! ref $data;

407

408

return {

409

%$form,

410

error => ($form->{'had_form_data'}) ? "Login Failed" : "",

411

login_data => $data,

412

key_user => $self->key_user,

413

key_pass => $self->key_pass,

414

key_time => $self->key_time,

415

key_save => $self->key_save,

416

key_expires_min => $self->key_expires_min,

417

key_redirect => $self->key_redirect,

418

form_name => $self->form_name,

419

script_name => $self->script_name,

420

path_info => $self->path_info,

421

md5_js_path => $self->js_uri_path ."/CGI/Ex/md5.js",

422

100

$self->key_user => $data->{'user'} || '',

423

$self->key_pass => '', # don't allow for this to get filled into the form

424

$self->key_time => $self->server_time,

425

$self->key_expires_min => $self->expires_min,

426

text_user => $self->text_user,

427

text_pass => $self->text_pass,

428

text_save => $self->text_save,

429

text_submit => $self->text_submit,

430

hide_save => $self->hide_save,

431

};

432

}

433

434

###----------------------------------------------------------------###

435

436

sub verify_token {

437

my $self = shift;

438

my $args = shift;

439

if (my $meth = $self->{'verify_token'}) {

440

return $meth->($self, $args);

441

}

442

my $token = delete $args->{'token'}; die "Missing token" if ! length $token;

443

my $data = $self->new_auth_data({token => $token, %$args});

444

my $meth;

445

446

# make sure the token is parsed to usable data

447

100

if (ref $token) { # token already parsed

448

$data->add_data({%$token, armor => 'none'});

449

450

} elsif (my $meth = $self->{'parse_token'}) {

451

if (! $meth->($self, $args)) {

452

$data->error('Invalid custom parsed token') if ! $data->error; # add error if not already added

453

$data->{'allow_cookie_match'} = 1;

454

return $data;

455

}

456

} else {

457

100

if (! $self->parse_token($token, $data)) {

458

$data->error('Invalid token') if ! $data->error; # add error if not already added

459

$data->{'allow_cookie_match'} = 1;

460

return $data;

461

}

462

}

463

464

465

# verify the user

466

if (! defined($data->{'user'})) {

467

$data->error('Missing user');

468

} elsif (! defined($data->{'user'} = $self->cleanup_user($data->{'user'}))

469

|| ! length($data->{'user'})) {

470

$data->error('Missing cleaned user');

471

} elsif (! defined $data->{'test_pass'}) {

472

$data->error('Missing test_pass');

473

} elsif (! $self->verify_user($data->{'user'})) {

474

$data->error('Invalid user');

475

}

476

return $data if $data->error;

477

478

# get the pass

479

my $pass;

480

if (! defined($pass = eval { $self->get_pass_by_user($data->{'user'}) })) {

100

481

$data->add_data({details => $@});

482

$data->error('Could not get pass');

483

} elsif (ref $pass eq 'HASH') {

484

my $extra = $pass;

485

$pass = exists($extra->{'real_pass'}) ? delete($extra->{'real_pass'})

486

: exists($extra->{'password'}) ? delete($extra->{'password'})

487

: do { $data->error('Data returned by get_pass_by_user did not contain real_pass or password'); undef };

488

$data->error('Invalid login') if ! defined $pass && ! $data->error;

489

$data->add_data($extra);

490

}

491

return $data if $data->error;

492

$data->add_data({real_pass => $pass}); # store - to allow generate_token to not need to relookup the pass

493

494

495

# validate the pass

496

if ($meth = $self->{'verify_password'}) {

497

if (! $meth->($self, $pass, $data)) {

498

$data->error('Password failed verification') if ! $data->error;

499

}

500

} else{

501

100

if (! $self->verify_password($pass, $data)) {

502

$data->error('Password failed verification') if ! $data->error;

503

}

504

}

505

100

return $data if $data->error;

506

507

508

# validate the payload

509

if ($meth = $self->{'verify_payload'}) {

510

if (! $meth->($self, $data->{'payload'}, $data)) {

511

$data->error('Payload failed custom verification') if ! $data->error;

512

}

513

} else {

514

if (! $self->verify_payload($data->{'payload'}, $data)) {

515

$data->error('Payload failed verification') if ! $data->error;

516

}

517

}

518

519

return $data;

520

}

521

522

sub new_auth_data {

523

my $self = shift;

524

return $self->{'_last_auth_data'} = CGI::Ex::Auth::Data->new(@_);

525

}

526

527

sub parse_token {

528

my ($self, $token, $data) = @_;

529

my $found;

530

my $bkey;

531

for my $armor ('none', 'base64', 'blowfish') {

532

my $copy = ($armor eq 'none') ? $token

533

: ($armor eq 'base64') ? $self->use_base64 ? eval { local $^W; decode_base64($token) } : next

100

534

: ($bkey = $self->use_blowfish) ? decrypt_blowfish($token, $bkey)

535

: next;

536

if ($self->complex_plaintext && $copy =~ m|^ ([^/]+) / (\d+) / (-?\d+) / ([^/]*) / (.*) $|x) {

100

537

$data->add_data({

538

user => $1,

539

plain_time => $2,

540

expires_min => $3,

541

payload => $4,

542

test_pass => $5,

543

armor => $armor,

544

});

545

$found = 1;

546

last;

547

} elsif ($copy =~ m|^ ([^/]+) / (\d+) / (-?\d+) / ([^/]*) / ([a-fA-F0-9]{32}) (?: / (sh\.\d+\.\d+))? $|x) {

548

$data->add_data({

549

user => $1,

550

cram_time => $2,

551

expires_min => $3,

552

payload => $4,

553

test_pass => $5,

554

secure_hash => $6 || '',

555

armor => $armor,

556

});

557

$found = 1;

558

last;

559

} elsif ($copy =~ m|^ ([^/]+) / (.*) $|x) {

560

$data->add_data({

561

user => $1,

562

test_pass => $2,

563

armor => $armor,

564

});

565

$found = 1;

566

last;

567

}

568

}

569

return $found;

570

}

571

572

sub verify_password {

573

my ($self, $pass, $data) = @_;

574

my $err;

575

576

### looks like a secure_hash cram

577

100

198

if ($data->{'secure_hash'}) {

100

578

$data->add_data(type => 'secure_hash_cram');

579

my $array = eval {$self->secure_hash_keys };

580

if (! $array) {

581

$err = 'secure_hash_keys not found';

582

} elsif (! @$array) {

583

$err = 'secure_hash_keys empty';

584

} elsif ($data->{'secure_hash'} !~ /^sh\.(\d+)\.(\d+)$/ || $1 > $#$array) {

585

$err = 'Invalid secure hash';

586

} else {

587

my $rand1 = $1;

588

my $rand2 = $2;

589

my $real = $pass =~ /^[a-fA-F0-9]{32}$/ ? lc($pass) : md5_hex($pass);

590

my $str = join("/", @{$data}{qw(user cram_time expires_min payload)});

591

my $sum = md5_hex($str .'/'. $real .('/sh.'.$array->[$rand1].'.'.$rand2));

592

if ($data->{'expires_min'} > 0

593

&& ($self->server_time - $data->{'cram_time'}) > $data->{'expires_min'} * 60) {

594

$err = 'Login expired';

595

} elsif (lc($data->{'test_pass'}) ne $sum) {

596

$err = 'Invalid login';

597

}

598

}

599

600

### looks like a simple_cram

601

} elsif ($data->{'cram_time'}) {

602

$data->add_data(type => 'simple_cram');

603

die "Type simple_cram disabled during verify_password" if $self->disable_simple_cram;

604

my $real = $pass =~ /^[a-fA-F0-9]{32}$/ ? lc($pass) : md5_hex($pass);

605

my $str = join("/", @{$data}{qw(user cram_time expires_min payload)});

606

my $sum = md5_hex($str .'/'. $real);

607

if ($data->{'expires_min'} > 0

608

&& ($self->server_time - $data->{'cram_time'}) > $data->{'expires_min'} * 60) {

609

$err = 'Login expired';

610

} elsif (lc($data->{'test_pass'}) ne $sum) {

611

$err = 'Invalid login';

612

}

613

614

### expiring plain

615

} elsif ($data->{'plain_time'}

616

&& $data->{'expires_min'} > 0

617

&& ($self->server_time - $data->{'plain_time'}) > $data->{'expires_min'} * 60) {

618

$err = 'Login expired';

619

620

### plaintext_crypt

621

} elsif ($pass =~ m|^([./0-9A-Za-z]{2})([./0-9A-Za-z]{11})$|

622

&& crypt($data->{'test_pass'}, $1) eq $pass) {

623

$data->add_data(type => 'crypt', was_plaintext => 1);

624

625

### failed plaintext crypt

626

} elsif ($self->use_crypt) {

627

$err = 'Invalid login';

628

$data->add_data(type => 'crypt', was_plaintext => ($data->{'test_pass'} =~ /^[a-fA-F0-9]{32}$/ ? 0 : 1));

629

630

### plaintext and md5

631

} else {

632

my $is_md5_t = $data->{'test_pass'} =~ /^[a-fA-F0-9]{32}$/;

633

my $is_md5_r = $pass =~ /^[a-fA-F0-9]{32}$/;

634

my $test = $is_md5_t ? lc($data->{'test_pass'}) : md5_hex($data->{'test_pass'});

635

my $real = $is_md5_r ? lc($pass) : md5_hex($pass);

636

$data->add_data(type => ($is_md5_r ? 'md5' : 'plaintext'), was_plaintext => ($is_md5_t ? 0 : 1));

637

100

$err = 'Invalid login'

638

if $test ne $real;

639

}

640

641

100

$data->error($err) if $err;

642

return ! $err;

643

}

644

645

sub last_auth_data { shift->{'_last_auth_data'} }

646

647

sub generate_token {

648

my $self = shift;

649

my $data = shift || $self->last_auth_data;

650

die "Can't generate a token off of a failed auth" if ! $data;

651

die "Can't generate a token for a user which contains a \"/\"" if $data->{'user'} =~ m{/};

652

my $token;

653

100

my $exp = defined($data->{'expires_min'}) ? $data->{'expires_min'} : $self->expires_min;

654

655

my $user = $data->{'user'} || die "Missing user";

656

my $load = $self->generate_payload($data);

657

die "User can not contain a \"/\." if $user =~ m|/|;

658

die "Payload can not contain a \"/\. Please encode it in generate_payload." if $load =~ m|/|;

659

660

### do kinds that require staying plaintext

661

if ( (defined($data->{'use_plaintext'}) ? $data->{'use_plaintext'} : $self->use_plaintext) # ->use_plaintext is true if ->use_crypt is

100

662

|| (defined($data->{'use_crypt'}) && $data->{'use_crypt'})

663

|| (defined($data->{'type'}) && $data->{'type'} eq 'crypt')) {

664

my $pass = defined($data->{'test_pass'}) ? $data->{'test_pass'} : $data->{'real_pass'};

665

$token = $self->complex_plaintext ? join('/', $user, $self->server_time, $exp, $load, $pass) : "$user/$pass";

666

667

### all other types go to cram - secure_hash_cram, simple_cram, plaintext and md5

668

} else {

669

my $real = defined($data->{'real_pass'}) ? ($data->{'real_pass'} =~ /^[a-fA-F0-9]{32}$/ ? lc($data->{'real_pass'}) : md5_hex($data->{'real_pass'}))

670

: die "Missing real_pass";

671

my $array;

672

100

if (! $data->{'prefer_simple_cram'}

673

&& ($array = eval { $self->secure_hash_keys })

674

&& @$array) {

675

my $rand1 = int(rand @$array);

676

my $rand2 = int(rand 100000);

677

my $str = join("/", $user, $self->server_time, $exp, $load);

678

my $sum = md5_hex($str .'/'. $real .('/sh.'.$array->[$rand1].'.'.$rand2));

679

$token = $str .'/'. $sum . '/sh.'.$rand1.'.'.$rand2;

680

} else {

681

die "Type simple_cram disabled during generate_token" if $self->disable_simple_cram;

682

my $str = join("/", $user, $self->server_time, $exp, $load);

683

my $sum = md5_hex($str .'/'. $real);

684

$token = $str .'/'. $sum;

685

}

686

}

687

688

100

if (my $key = $data->{'use_blowfish'} || $self->use_blowfish) {

689

$token = encrypt_blowfish($token, $key);

690

691

} elsif (defined($data->{'use_base64'}) ? $data->{'use_base64'} : $self->use_base64) {

692

$token = encode_base64($token, '');

693

}

694

695

return $token;

696

}

697

698

sub generate_payload {

699

my $self = shift;

700

my $args = shift;

701

if (my $meth = $self->{'generate_payload'}) {

702

return $meth->($self, $args);

703

}

704

100

return defined($args->{'payload'}) ? $args->{'payload'} : '';

705

}

706

707

sub verify_user {

708

my $self = shift;

709

my $user = shift;

710

100

if (my $meth = $self->{'verify_user'}) {

711

return $meth->($self, $user);

712

}

713

return 1;

714

}

715

716

sub cleanup_user {

717

my $self = shift;

718

my $user = shift;

719

100

if (my $meth = $self->{'cleanup_user'}) {

720

return $meth->($self, $user);

721

}

722

return $user;

723

}

724

725

sub check_form_user_against_cookie {

726

my ($self, $form_user, $cookie_user, $data) = @_;

727

return if ! defined($form_user) || ! defined($cookie_user);

728

return $form_user eq $cookie_user;

729

}

730

731

sub get_pass_by_user {

732

my $self = shift;

733

my $user = shift;

734

if (my $meth = $self->{'get_pass_by_user'}) {

735

return $meth->($self, $user);

736

}

737

738

die "Please override get_pass_by_user";

739

}

740

741

sub verify_payload {

742

my ($self, $payload, $data) = @_;

743

if (my $meth = $self->{'verify_payload'}) {

744

return $meth->($self, $payload, $data);

745

}

746

return 1;

747

}

748

749

###----------------------------------------------------------------###

750

751

sub encrypt_blowfish {

752

my ($str, $key) = @_;

753

754

require Crypt::Blowfish;

755

my $cb = Crypt::Blowfish->new($key);

756

757

$str .= (chr 0) x (8 - length($str) % 8); # pad to multiples of 8

758

759

my $enc = '';

760

$enc .= unpack "H16", $cb->encrypt($1) while $str =~ /\G(.{8})/g; # 8 bytes at a time

761

762

return $enc;

763

}

764

765

sub decrypt_blowfish {

766

my ($enc, $key) = @_;

767

768

require Crypt::Blowfish;

769

my $cb = Crypt::Blowfish->new($key);

770

771

my $str = '';

772

$str .= $cb->decrypt(pack "H16", $1) while $enc =~ /\G([A-Fa-f0-9]{16})/g;

773

$str =~ y/\00//d;

774

775

return $str

776

}

777

778

###----------------------------------------------------------------###

779

780

sub login_template {

781

my $self = shift;

782

return $self->{'login_template'} if $self->{'login_template'};

783

784

my $text = join '',

785

map {ref $_ ? $$_ : /\[%/ ? $_ : $_ ? "[% TRY; PROCESS '$_'; CATCH %][% END %]\n" : ''}

786

$self->login_header, $self->login_form, $self->login_script, $self->login_footer;

787

return \$text;

788

}

789

790

sub login_header { shift->{'login_header'} || 'login_header.tt' }

791

sub login_footer { shift->{'login_footer'} || 'login_footer.tt' }

792

793

sub login_form {

794

my $self = shift;

795

return $self->{'login_form'} if defined $self->{'login_form'};

796

return \q{

797

[% error %]

798

799

800

801

802

803
804		[% text_user %]
805
806
807
808		[% text_pass %]
809
810
811	[% IF ! hide_save ~%]
812
813
814	[% text_save %]
815
816
817	[%~ END %]
818
819
820
821
822
823

824

825

826

};

827

}

828

829

sub text_user { my $self = shift; return defined($self->{'text_user'}) ? $self->{'text_user'} : 'Username:' }

830

sub text_pass { my $self = shift; return defined($self->{'text_pass'}) ? $self->{'text_pass'} : 'Password:' }

831

sub text_save { my $self = shift; return defined($self->{'text_save'}) ? $self->{'text_save'} : 'Save Password ?' }

832

sub hide_save { my $self = shift; return defined($self->{'hide_save'}) ? $self->{'hide_save'} : 0 }

175

833

sub text_submit { my $self = shift; return defined($self->{'text_submit'}) ? $self->{'text_submit'} : 'Login' }

834

835

sub login_script {

836

my $self = shift;

837

return $self->{'login_script'} if defined $self->{'login_script'};

838

return '' if $self->use_plaintext || $self->disable_simple_cram;

839

return \q{

840

841

842

843

862

};

863

}

864

865

###----------------------------------------------------------------###

866

867

package CGI::Ex::Auth::Data;

868

869

use strict;

264

870

use overload

871

128

435

'bool' => sub { ! shift->error },

872

'0+' => sub { 1 },

873

'""' => sub { shift->as_string },

874

2209

fallback => 1;

1813

875

876

sub new {

877

my ($class, $args) = @_;

878

return bless {%{ $args || {} }}, $class;

143

879

}

880

881

sub add_data {

882

my $self = shift;

883

100

126

my $args = @_ == 1 ? shift : {@_};

884

121

@{ $self }{keys %$args} = values %$args;

220

885

}

886

887

sub error {

888

225

223

my $self = shift;

889

225

100

318

if (@_ == 1) {

890

$self->{'error'} = shift;

891

$self->{'error_caller'} = [caller];

892

}

893

225

492

return $self->{'error'};

894

}

895

896

sub as_string {

897

my $self = shift;

898

return $self->error || ($self->{'user'} && $self->{'type'}) ? "Valid auth data" : "Unverified auth data";

899

}

900

901

###----------------------------------------------------------------###

902

903

904

905

__END__