view release on metacpan or  search on metacpan

lib/CGI/Application/Plugin/Authentication.pm  view on Meta::CPAN

        'M' => 60 * 60 * 24 * 30,
        'y' => 60 * 60 * 24 * 365
    );
    # format for time can be in any of the forms...
    # "180" -- in 180 seconds
    # "180s" -- in 180 seconds
    # "2m" -- in 2 minutes
    # "12h" -- in 12 hours
    # "1d"  -- in 1 day
    # "4w"  -- in 4 weeks
    # "3M"  -- in 3 months
    # "2y"  -- in 2 years
    my $offset;
    if ( $time =~ /^([+-]?(?:\d+|\d*\.\d*))([smhdwMy]?)$/ ) {
        return if (!$2 || $2 eq 's') && $1 != int $1; # 
        $offset = int ( ( $mult{$2} || 1 ) * $1 );
    }
    return $offset;
}


=head1 EXAMPLE

In a CGI::Application module:

  use base qw(CGI::Application);
  use CGI::Application::Plugin::AutoRunmode;
  use CGI::Application::Plugin::Session;
  use CGI::Application::Plugin::Authentication;

  __PACKAGE__->authen->config(
        DRIVER         => [ 'Generic', { user1 => '123' } ],
        STORE          => 'Session',
        LOGOUT_RUNMODE => 'start',
  );
  __PACKAGE__->authen->protected_runmodes(qr/^auth_/, 'one');

  sub start : RunMode {
    my $self = shift;

  }

  sub one : RunMode {
    my $self = shift;

    # The user will only get here if they are logged in
  }

  sub auth_two : RunMode {
    my $self = shift;

    # This is also protected because of the
    # regexp call to protected_runmodes above
  }

=head1 COMPATIBILITY WITH L<CGI::Application::Plugin::ActionDispatch>

The prerun callback has been modified so that it will check for the presence of a prerun mode.
This is for compatibility with L<CGI::Application::Plugin::ActionDispatch>. This
change should be considered experimental. It is necessary to load the ActionDispatch
module so that the two prerun callbacks will be called in the correct order.

=head1 RECOMMENDED USAGE

=over

=item CSS

The best practice nowadays is generally considered to be to not have CSS
embedded in HTML. Thus it should be best to set LOGIN_FORM -> DISPLAY_CLASS to 
'Basic'.

=item Post login destination

Of the various means of selecting a post login destination the most secure would
seem to be POST_LOGIN_URL. The C<destination> parameter could potentially be hijacked by hackers.
The POST_LOGIN_RUNMODE parameter requires a hidden parameter that could potentially
be hijacked.

=item Taint mode

Do run your code under taint mode. It should help protect your application
against a number of attacks.

=item URL and username checking 

Please set the C<DETAINT_URL_REGEXP> and C<DETAINT_USERNAME_REGEXP> parameters
as tightly as possible. In particular you should prevent the destination parameter 
being used to redirect authenticated users to external sites; unless of course that
is what you want in which case that site should be the only possible external site. 

=item The login form

The HTML currently generated does not seem to be standards compliant as per
RT bug 58023. Also the default login form includes hidden forms which could
conceivably be hijacked. 
Set LOGIN_FORM -> DISPLAY_CLASS to 'Basic' to fix this.

=back

=head1 TODO

There are lots of things that can still be done to improve this plugin.  If anyone else is interested
in helping out feel free to dig right in.  Many of these things don't need my input, but if you want
to avoid duplicated efforts, send me a note, and I'll let you know of anyone else is working in the same area.

=over 4

=item review the code for security bugs and report

=item complete the separation of presentation and logic

=item write a tutorial

=item build more Drivers (Class::DBI, LDAP, Radius, etc...)

=item Add support for method attributes to identify runmodes that require authentication

=item finish the test suite

=item provide more example code