Mojolicious-Plugin-BcryptSecure
view release on metacpan or search on metacpan
Changes
LICENSE
MANIFEST
META.json
META.yml
README
cpanfile
dist.ini
lib/Mojolicious/Plugin/BcryptSecure.pm
t/author-pod-syntax.t
t/bcrypt_config_validate.t
t/bcrypt_default_cost.t
t/bcrypt_set_cost.t
t/bcrypt_validate.t
t/bcrypt_with_settings.t
{
"abstract" : "Securely bcrypt and validate your passwords.",
"author" : [
"Adam Hopkins <srchulo@cpan.org>"
],
"dynamic_config" : 0,
"generated_by" : "Dist::Milla version v1.0.20, Dist::Zilla version 6.012, CPAN::Meta::Converter version 2.150010",
"license" : [
"perl_5"
],
"meta-spec" : {
"url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec",
---
abstract: 'Securely bcrypt and validate your passwords.'
author:
- 'Adam Hopkins <srchulo@cpan.org>'
build_requires:
Test::Exception: '0'
Test::More: '0.96'
Test::Pod: '0'
configure_requires:
Module::Build::Tiny: '0.034'
dynamic_config: 0
generated_by: 'Dist::Milla version v1.0.20, Dist::Zilla version 6.012, CPAN::Meta::Converter version 2.150010'
NAME
Mojolicious::Plugin::BcryptSecure - Securely bcrypt and validate your
passwords.
STATUS
SYNOPSIS
# Mojolicious::Lite
# use the default cost of 12
plugin 'BcryptSecure'
DESCRIPTION
Mojolicious::Plugin::BcryptSecure is a fork of
Mojolicious::Plugin::Bcrypt with two main differences:
* Crypt::URandom is used to generate the salt used in "bcrypt" with
strongest available source of non-blocking randomness on the current
platform.
* "secure_compare" in Mojo::Util is used in "bcrypt_validate" when
comparing the crypted passwords to help prevent timing attacks.
You also may want to look at Mojolicious::Command::bcrypt to help
easily generate crypted passwords with your app's bcrypt settings via a
Mojolicious::Command.
OPTIONS
cost
crypted value.
my $crypted_password = $c->bcrypt($plaintext_password);
# optionally pass your own settings
my $crypted_password = $c->bcrypt($plaintext_password, $settings);
$settings is an optional string which encodes the algorithm parameters,
as described in Crypt::Eksblowfish::Bcrypt.
bcrypt_validate
Validates a password against a crypted password (from your database,
for example):
if ($c->bcrypt_validate($plaintext_password, $crypted_password)) {
# Authenticated
} else {
# Uh oh...
}
AUTHOR
Adam Hopkins <srchulo@cpan.org>
COPYRIGHT
lib/Mojolicious/Plugin/BcryptSecure.pm view on Meta::CPAN
Carp::confess 'Unknown keys/values provided: ' . Mojo::Util::dumper $config if %$config;
my $settings_without_salt = '$2a' . sprintf '$%02i', $cost;
$app->helper(bcrypt => sub {
return Crypt::Eksblowfish::Bcrypt::bcrypt(
$_[1],
$_[2] // $settings_without_salt . '$' . Crypt::Eksblowfish::Bcrypt::en_base64(Crypt::URandom::urandom(16)),
);
});
$app->helper(bcrypt_validate => sub {
return Mojo::Util::secure_compare Crypt::Eksblowfish::Bcrypt::bcrypt($_[1], $_[2]), $_[2];
});
}
1;
__END__
=encoding utf-8
=head1 NAME
Mojolicious::Plugin::BcryptSecure - Securely bcrypt and validate your passwords.
=head1 STATUS
=for html <a href="https://travis-ci.org/srchulo/Mojolicious-Plugin-BcryptSecure"><img src="https://travis-ci.org/srchulo/Mojolicious-Plugin-BcryptSecure.svg?branch=master"></a>
=head1 SYNOPSIS
# Mojolicious::Lite
# use the default cost of 12
lib/Mojolicious/Plugin/BcryptSecure.pm view on Meta::CPAN
L<Mojolicious::Plugin::BcryptSecure> is a fork of L<Mojolicious::Plugin::Bcrypt> with two main differences:
=over
=item
L<Crypt::URandom> is used to generate the salt used in L</bcrypt> with strongest available source of non-blocking randomness on the current platform.
=item
L<Mojo::Util/secure_compare> is used in L</bcrypt_validate> when comparing the crypted passwords to
help prevent timing attacks.
=back
You also may want to look at L<Mojolicious::Command::bcrypt> to help easily generate crypted passwords
with your app's C<bcrypt> settings via a L<Mojolicious::Command>.
=head1 OPTIONS
=head2 cost
lib/Mojolicious/Plugin/BcryptSecure.pm view on Meta::CPAN
Crypts a password via the bcrypt algorithm and returns the resulting crypted value.
my $crypted_password = $c->bcrypt($plaintext_password);
# optionally pass your own settings
my $crypted_password = $c->bcrypt($plaintext_password, $settings);
C<$settings> is an optional string which encodes the algorithm parameters, as described in L<Crypt::Eksblowfish::Bcrypt>.
=head2 bcrypt_validate
Validates a password against a crypted password (from your database, for example):
if ($c->bcrypt_validate($plaintext_password, $crypted_password)) {
# Authenticated
} else {
# Uh oh...
}
=head1 AUTHOR
Adam Hopkins E<lt>srchulo@cpan.orgE<gt>
=head1 COPYRIGHT
t/bcrypt_validate.t view on Meta::CPAN
use Test::More;
use Mojolicious::Lite;
plugin 'BcryptSecure';
my @wrong_passwords = qw(foo quux supercalifragilisticexpialidocious);
while (<DATA>) {
chomp;
my ($crypted_password, $hash, $password) = split ' ';
ok app->bcrypt_validate($password, $crypted_password . $hash);
ok !app->bcrypt_validate($_, $crypted_password . $hash) for @wrong_passwords;
}
done_testing;
__DATA__
$2$05$CCCCCCCCCCCCCCCCCCCCC. 7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy
$2$07$aba.............kC2SI. cbHK1ODT5F77pYUqRNV63bd/IDxsTXq 0
$2$07$abcdee..........kC2SI. HiVB5Ax/RkxnDF2P5lQk06NBgbF/xYO 0
$2$07$abcdefghijklmnopkC2SI. 7Q0nVrcMF4umRv5Pk5vDi0GlDI.lLE. 0
$2$07$abcdefghijklmnopqrstuu AgtOGDu2Z1DC3oOn6HzhbBE811IGUYu 0
( run in 0.545 second using v1.01-cache-2.11-cpan-39bf76dae61 )