view release on metacpan or  search on metacpan

lib/Apache/AuthCookie.pm  view on Meta::CPAN

sub login ($$) {
    my ($self, $r) = @_;
    my $debug = $r->dir_config("AuthCookieDebug") || 0;

    my ($auth_type, $auth_name) = ($r->auth_type, $r->auth_name);

    my $params = $self->params($r);

    $self->_convert_to_get($r) if $r->method eq 'POST';

    my $destination         = $params->param('destination');
    my $default_destination = $r->dir_config("${auth_name}DefaultDestination");

    if (is_blank($destination)) {
        if (!is_blank($default_destination)) {
            $destination = $default_destination;
            $r->log_error("destination set to $destination");
        }
        else {
            $r->log_error("No key 'destination' found in form data");
            $r->subprocess_env('AuthCookieReason', 'no_cookie');
            return $auth_type->login_form;
        }
    }

    if ($r->dir_config("${auth_name}EnforceLocalDestination")) {
        my $current_url = Apache::URI->parse($r)->unparse;
        unless (is_local_destination($destination, $current_url)) {
            $r->log_error("non-local destination $destination detected for uri ",$r->uri);

            if (is_local_destination($default_destination, $current_url)) {
                $destination = $default_destination;
                $r->log_error("destination changed to $destination");
            }
            else {
                $r->log_error("Returning login form: non local destination: $destination");
                $r->subprocess_env('AuthCookieReason', 'no_cookie');
                return $auth_type->login_form($r);
            }
        }
    }

    # Get the credentials from the data posted by the client
    my @credentials;
    for (my $i = 0 ; defined $params->param("credential_$i") ; $i++) {
        my $key = "credential_$i";
        my $val = $params->param("credential_$i");
        $r->log_error("$key $val") if $debug >= 2;
        push @credentials, $val;
    }

    # save creds in pnotes in case login form script wants to use them.
    $r->pnotes("${auth_name}Creds", \@credentials);

    # Exchange the credentials for a session key.
    my $ses_key = $self->authen_cred($r, @credentials);
    unless ($ses_key) {
        $r->log_error("Bad credentials") if $debug >= 2;
        $r->subprocess_env('AuthCookieReason', 'bad_credentials');
        $r->uri($self->untaint_destination($destination));
        return $auth_type->login_form;
    }

    if ($debug >= 2) {
        if (defined $ses_key) {
            $r->log_error("ses_key $ses_key");
        }
        else {
            $r->log_error("ses_key undefined");
        }
    }

    $self->send_cookie($ses_key);

    $self->handle_cache;

    $r->header_out(Location => $self->untaint_destination($destination));

    return REDIRECT;
}


sub untaint_destination {
    my ($self, $dest) = @_;

    return Apache::AuthCookie::Util::escape_destination($dest);
}


sub logout($$) {
    my ($self, $r) = @_;
    my $debug = $r->dir_config("AuthCookieDebug") || 0;

    $self->remove_cookie;

    $self->handle_cache;

    #my %args = $r->args;
    #if (exists $args{'redirect'}) {
    #  $r->err_header_out("Location" => $args{'redirect'});
    #  return REDIRECT;
    #} else {
    #  $r->status(200);
    #  return OK;
    #}
}


sub authenticate ($$) {
    my ($auth_type, $r) = @_;
    my $auth_user;
    my $debug = $r->dir_config("AuthCookieDebug") || 0;

    $r->log_error("auth_type " . $auth_type) if ($debug >= 3);

    unless ($r->is_initial_req) {
        if (defined $r->prev) {
            # we are in a subrequest.  Just copy user from previous request.
            # encoding would have been handled in prev req, so do not encode here.
            $r->connection->user($r->prev->connection->user);
        }
        return OK;
    }

    if ($r->auth_type ne $auth_type) {
        # This location requires authentication because we are being called,
        # but we don't handle this AuthType.
        $r->log_error("AuthType mismatch: $auth_type =/= " . $r->auth_type)
            if $debug >= 3;
        return DECLINED;
    }

    # Ok, the AuthType is $auth_type which we handle, what's the authentication
    # realm's name?
    my $auth_name = $r->auth_name;
    $r->log_error("auth_name " . $auth_name) if $debug >= 2;
    unless ($auth_name) {
        $r->log_reason("AuthName not set, AuthType=$auth_type", $r->uri);
        return SERVER_ERROR;
    }

    # Get the Cookie header. If there is a session key for this realm, strip
    # off everything but the value of the cookie.

lib/Apache/AuthCookie.pm  view on Meta::CPAN

  sub custom_errors {
    my ($self,$r,$CODE,$msg) = @_;
    # return custom message else use the server's standard message
    $r->custom_response($CODE, $msg) if $msg;
    return($CODE);
  }

  where CODE is a valid code from Apache::Constants

=head2 recognize_user($r)

If the user has provided a valid session key but the document isn't
protected, this method will set C<$r-E<gt>connection-E<gt>user>
anyway.  Use it as a PerlFixupHandler, unless you have a better idea.

=head2 encoding($r): string

Return the ${auth_name}Encoding setting that is in effect for this request.

=head2 requires_encoding($r): string

Return the ${auth_name}RequiresEncoding setting that is in effect for this request.

=head2 decoded_user($r): string

If you have set ${auth_name}Encoding, then this will return the decoded value of
C<< $r->connection->user >>.

=head2 decoded_requires($r): arrayref

This method returns the C<< $r->requires >> array, with the C<requirement>
values decoded if C<${auth_name}RequiresEncoding> is in effect for this
request.

=head2 handle_cache(): void

If C<${auth_name}Cache> is defined, this sets up the response so that the
client will not cache the result.  This sents C<no_cache> in the apache request
object and sends the appropriate headers so that the client will not cache the
response.

=head2 remove_cookie(): void

Adds a C<Set-Cookie> header that instructs the client to delete the cookie
immediately.

=head2 params($r): Apache::AuthCookie::Params

Get the params object for this request.

=head2 login($r)

This method handles the submission of the login form.  It will call
the C<authen_cred()> method, passing it C<$r> and all the submitted
data with names like C<"credential_#">, where # is a number.  These will
be passed in a simple array, so the prototype is
C<$self-E<gt>authen_cred($r, @credentials)>.  After calling
C<authen_cred()>, we set the user's cookie and redirect to the
URL contained in the C<"destination"> submitted form field.

=head2 untaint_destination($uri)

This method returns a modified version of the destination parameter
before embedding it into the response header. Per default it escapes
CR, LF and TAB characters of the uri to avoid certain types of
security attacks. You can override it to more limit the allowed
destinations, e.g., only allow relative uris, only special hosts or
only limited set of characters.

=head2 logout($r)

This is simply a convenience method that unsets the session key for
you.  You can call it in your logout scripts.  Usually this looks like
C<$r-E<gt>auth_type-E<gt>logout($r);>.

=head2 authenticate($r)

This method is one you'll use in a server config file (httpd.conf,
.htaccess, ...) as a PerlAuthenHandler.  If the user provided a
session key in a cookie, the C<authen_ses_key()> method will get
called to check whether the key is valid.  If not, or if there is no
key provided, we redirect to the login form.

=head2 login_form()

This method is responsible for displaying the login form. The default
implementation will make an internal redirect and display the URL you
specified with the C<PerlSetVar WhatEverLoginScript> configuration
directive. You can overwrite this method to provide your own
mechanism.

=head2 login_form_status($r)

This method returns the HTTP status code that will be returned with the login
form response.  The default behaviour is to return FORBIDDEN, except for some
known browsers which ignore HTML content for FORBIDDEN responses (e.g.:
SymbianOS).  You can override this method to return custom codes.

Note that FORBIDDEN is the most correct code to return as the given request was
not authorized to view the requested page.  You should only change this if
FORBIDDEN does not work.

=head2 get_satisfy(): string

Get the C<Satisfy> value for the current request, or C<all> if it is not
configured.

=head2 authorize($r)

This will step through the C<require> directives you've given for
protected documents and make sure the user passes muster.  The
C<require valid-user> and C<require user joey-jojo> directives are
handled for you.  You can implement custom directives, such as
C<require species hamster>, by defining a method called C<species()>
in your subclass, which will then be called.  The method will be
called as C<$r-E<gt>species($r, $args)>, where C<$args> is everything
on your C<require> line after the word C<species>.  The method should
return OK on success and FORBIDDEN on failure.

=head2 send_cookie($session_key)