[gantry] r1481 committed - Added the ability to encrypt passwords by defining the configuration v...
codesite...@google.com
Author: num...@gmail.com
Date: Thu Feb 17 12:11:00 2011
Log: Added the ability to encrypt passwords by defining the configuration
variable auth_password_encryption. By default, it will attempt to look up
passwords using the Gantry::Utils::Crypt::encrypt, and using the configured
auth_secret as Crypt's salt. The user an optionally configure
auth_password_salt as a seperate value for additional security. Currently,
the user will have to put CRUD code in place that puts the crypted
passwords into the defined auth_table and auth_password_field, but this
lays the authentication groundwork.
http://code.google.com/p/gantry/source/detail?r=1481
Modified:
/trunk/lib/Gantry/Plugins/AuthCookie.pm
=======================================
--- /trunk/lib/Gantry/Plugins/AuthCookie.pm Thu Sep 24 14:47:12 2009
+++ /trunk/lib/Gantry/Plugins/AuthCookie.pm Thu Feb 17 12:11:00 2011
@@ -31,6 +31,8 @@
auth_secret
auth_user_field
auth_password_field
+ auth_password_encryption
+ auth_password_salt
auth_group_table
auth_group_join_table
auth_logout_url
@@ -92,7 +94,12 @@
$gobj->auth_password_field(
$gobj->fish_config( 'auth_password_field' ) || 'password'
);
-
+ $gobj->auth_password_encryption(
+ $gobj->fish_config( 'auth_password_encryption' ) || ''
+ );
+ $gobj->auth_password_salt(
+ $gobj->fish_config( 'auth_password_salt' ) || ''
+ );
$gobj->auth_require(
$gobj->fish_config( 'auth_require' ) || 'valid-user'
);
@@ -817,37 +824,36 @@
}
else {
eval {
- my $sch = $self->can( 'get_auth_schema' )
- ? $self->get_auth_schema()
- : $self->get_schema();
my $password_field = $self->auth_password_field();
- my $row = $sch->resultset( $self->auth_table() )->find( {
- $self->auth_user_field() => $in{username},
- $self->auth_password_field() => $in{password},
- } );
-
- if ( $row ) {
- # Specified user/pass is correct so save the auth row.
+ my $password_to_auth;
+ if($self->auth_password_encryption(){
+ require Gantry::Utils::Crypt;
+ my $salt = $self->auth_password_salt ||
$self->auth_secret();
+ my $crypt_obj = Gantry::Utils::Crypt->new(
+ { 'secret' => $salt }
+ );
+ $password_to_auth =
$crypt_obj->encrypt($in{'password'});
+ }
+ else{
+ $password_to_auth = $in{'password'};
+ }
+
+ my $sch = $self->get_auth_schema();
+ my $row = $sch->resultset( $self->auth_table() )->search( {
+ $self->auth_user_field() => $in{username},
+ } )->next;
+
+ if ($row && $row->$password_field eq $password_to_auth) {
$self->auth_user_row( $row );
}
+ elsif ( $row ) {
+ push( @errors, "Invalid password" );
+ }
else {
- # We didn't get a row back so query again
- # using only the user to determine if we have
- # a bad user name or bad password. This extra
- # step is necessary in the case where we are using
- # encrypted passwords.
- $row = $sch->resultset( $self->auth_table() )->find( {
- $self->auth_user_field() => $in{username},
- } );
-
- unless ( $row ) {
- push( @errors, 'Invalid user' );
- }
- else {
- push( @errors, "Invalid password" );
- }
+ push( @errors, 'Invalid user' );
}
};
+
if ( $@ ) {
die 'Error: (perhaps you didn\'t include AuthCookie in '
. "the same list as -Engine?). Full error: $@";
@@ -913,6 +919,28 @@
} # end auth_password_field
+#-------------------------------------------------
+# $self->auth_password_encryption
+#-------------------------------------------------
+sub auth_password_encryption {
+ my ( $self, $p ) = ( shift, shift );
+
+ $$self{__AUTH_PASSWORD_ENCRYPTION__} = $p if defined $p;
+ return( $$self{__AUTH_PASSWORD_ENCRYPTION__} );
+
+} # end auth_password_encryption
+
+#-------------------------------------------------
+# $self->auth_password_salt
+#-------------------------------------------------
+sub auth_password_salt {
+ my ( $self, $p ) = ( shift, shift );
+
+ $$self{__AUTH_PASSWORD_SALT__} = $p if defined $p;
+ return( $$self{__AUTH_PASSWORD_SALT__} );
+
+} # end auth_password_salt
+
#-------------------------------------------------
# $self->auth_secret
#-------------------------------------------------