chiark
/
gitweb
/
~ian
/
cgi-auth-flexible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
wip
[cgi-auth-flexible.git]
/
cgi-auth-hybrid.pm
diff --git
a/cgi-auth-hybrid.pm
b/cgi-auth-hybrid.pm
index d945faefa5cc44c388a430a76732dd9317c688c0..21a8fb523e875ef82339283e2de05542ca332edf 100644
(file)
--- a/
cgi-auth-hybrid.pm
+++ b/
cgi-auth-hybrid.pm
@@
-40,6
+40,7
@@
use DBI;
use CGI qw/escapeHTML/;
use Locale::gettext;
use URI;
use CGI qw/escapeHTML/;
use Locale::gettext;
use URI;
+use IO::File;
use Data::Dumper;
#---------- public utilities ----------
use Data::Dumper;
#---------- public utilities ----------
@@
-91,11
+92,9
@@
sub login_ok_password ($$) {
sub do_redirect_cgi ($$$$) {
my ($c, $r, $new_url, $cookie) = @_;
sub do_redirect_cgi ($$$$) {
my ($c, $r, $new_url, $cookie) = @_;
- my @ha = ('text/html',
- -status => '303 See other',
- -location => $new_url);
- push @ha, (-cookie => $cookie) if defined $cookie;
- $r->_print($c->header(@ha),
+ $r->_print($c->header($r->_cgi_header_args($cookie,
+ -status => '303 See other',
+ -location => $new_url)),
$r->_ch('gen_start_html',$r->_gt('Redirection')),
'<a href="'.escapeHTML($new_url).'">',
$r->_gt("If you aren't redirected, click to continue."),
$r->_ch('gen_start_html',$r->_gt('Redirection')),
'<a href="'.escapeHTML($new_url).'">',
$r->_gt("If you aren't redirected, click to continue."),
@@
-107,20
+106,20
@@
sub gen_plain_login_form ($$) {
my ($c,$r, $params) = @_;
my @form;
push @form, ('<form method="POST" action="'.
my ($c,$r, $params) = @_;
my @form;
push @form, ('<form method="POST" action="'.
- escapeHTML($r->_ch('get_url')).'>'.
+ escapeHTML($r->_ch('get_url')).'
"
>'.
'<table>');
my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
foreach my $up (@{ $r->{S}{username_param_names}}) {
push @form, ('<tr><td>',$r->_gt(ucfirst $up),'</td>',
'<table>');
my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
foreach my $up (@{ $r->{S}{username_param_names}}) {
push @form, ('<tr><td>',$r->_gt(ucfirst $up),'</td>',
- '<td><input type="text" '
,
$sz.
- ' name='
,$up,
'></td></tr>');
+ '<td><input type="text" '
.
$sz.
+ ' name='
.$up.
'></td></tr>');
}
push @form, ('<tr><td>'.$r->_gt('Password'),'</td>',
'<td><input type="password" '.$sz.
' name="'.$r->{S}{password_param_name}.'"></td></tr>');
push @form, ('<tr><td colspan="2">',
'<input type="submit"'.
}
push @form, ('<tr><td>'.$r->_gt('Password'),'</td>',
'<td><input type="password" '.$sz.
' name="'.$r->{S}{password_param_name}.'"></td></tr>');
push @form, ('<tr><td colspan="2">',
'<input type="submit"'.
- ' name="'.$r->{S}{login_submit_name}.'"'.
+ ' name="'.$r->{S}{login_submit_name}
[0]
.'"'.
' value="'.$r->_gt('Login').'"></td></tr>',
'</table>');
foreach my $n (keys %$params) {
' value="'.$r->_gt('Login').'"></td></tr>',
'</table>');
foreach my $n (keys %$params) {
@@
-155,6
+154,7
@@
sub new_verifier {
associdlen => 128, # bits
login_timeout => 86400, # seconds
assoc_param_name => 'cah_associd',
associdlen => 128, # bits
login_timeout => 86400, # seconds
assoc_param_name => 'cah_associd',
+ cookie_name => "cah_associd",
password_param_name => 'password',
username_param_names => [qw(username)],
form_entry_size => 60,
password_param_name => 'password',
username_param_names => [qw(username)],
form_entry_size => 60,
@@
-177,12
+177,13
@@
sub new_verifier {
do_redirect => \&do_redirect_cgi, # this hook is allowed to throw
cookie_path => "/",
get_cookie_domain => \&get_cookie_domain,
do_redirect => \&do_redirect_cgi, # this hook is allowed to throw
cookie_path => "/",
get_cookie_domain => \&get_cookie_domain,
- encrypted_only =>
0
,
+ encrypted_only =>
1
,
gen_start_html => sub { $_[0]->start_html($_[2]); },
gen_end_html => sub { $_[0]->end_html(); },
gen_login_form => \&gen_plain_login_form,
gen_login_link => \&gen_plain_login_link,
gettext => sub { gettext($_[2]); },
gen_start_html => sub { $_[0]->start_html($_[2]); },
gen_end_html => sub { $_[0]->end_html(); },
gen_login_form => \&gen_plain_login_form,
gen_login_link => \&gen_plain_login_link,
gettext => sub { gettext($_[2]); },
+ print => sub { print $_[2] or die $!; },
},
Dbh => undef,
};
},
Dbh => undef,
};
@@
-305,14
+306,15
@@
sub construct_cookie ($$$) {
my ($r, $cookv) = @_;
return undef unless $cookv;
my $c = $r->{Cgi};
my ($r, $cookv) = @_;
return undef unless $cookv;
my $c = $r->{Cgi};
-
my $cookt = $c->cookie
(-name => $r->{S}{cookie_name},
+
my @ca =
(-name => $r->{S}{cookie_name},
-value => $cookv,
-path => $r->{S}{cookie_path},
-domain => $r->_ch('get_cookie_domain'),
-expires => '+'.$r->{S}{login_timeout}.'s',
-secure => $r->{S}{encrypted_only});
-value => $cookv,
-path => $r->{S}{cookie_path},
-domain => $r->_ch('get_cookie_domain'),
-expires => '+'.$r->{S}{login_timeout}.'s',
-secure => $r->{S}{encrypted_only});
-print STDERR "CC $r $c $cookv $cookt\n";
- return $cookt;
+ my $cookie = $c->cookie(@ca);
+print STDERR "CC $r $c $cookv $cookie (@ca).\n";
+ return $cookie;
}
# pages/param-sets are
}
# pages/param-sets are
@@
-330,7
+332,7
@@
print STDERR "CC $r $c $cookv $cookt\n";
# y, yN value corresponds to logged-in user
# n, nN value not in our db
# x, xN t or y
# y, yN value corresponds to logged-in user
# n, nN value not in our db
# x, xN t or y
-# - no value supplied
+# - no value supplied
(represented in code as $cookt='')
# if N differs the case applies only when the two values differ
# (eg, a1 y2 does not apply when the logged-in value is supplied twice)
# if N differs the case applies only when the two values differ
# (eg, a1 y2 does not apply when the logged-in value is supplied twice)
@@
-409,8
+411,9
@@
print STDERR "CC $r $c $cookv $cookt\n";
# revoke y2
# treat as -/n n POST
#
# revoke y2
# treat as -/n n POST
#
- # -/n
n
GET n cross-site link but user not logged in
+ # -/n
-/n
GET n cross-site link but user not logged in
# show login form with redirect to orig params
# show login form with redirect to orig params
+ # generate fresh cookie
#
# -/n n GET rmu user not logged in
# fail
#
# -/n n GET rmu user not logged in
# fail
@@
-431,6
+434,8
@@
sub _check_divert_core ($) {
my ($cookt,$cooku) = $r->_db_lookup($cookv);
my $parmt = $r->_db_lookup($parmv);
my ($cookt,$cooku) = $r->_db_lookup($cookv);
my $parmt = $r->_db_lookup($parmv);
+ print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n";
+
if ($r->_ch('is_logout')) {
$r->_must_be_post();
die unless $parmt;
if ($r->_ch('is_logout')) {
$r->_must_be_post();
die unless $parmt;
@@
-491,15
+496,17
@@
sub _check_divert_core ($) {
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
+ my $newv = $r->_fresh_cookie();
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
Message => "You need to log in again.",
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
Message => "You need to log in again.",
- CookieVal => $
parm
v,
+ CookieVal => $
new
v,
Params => $r->_chain_params() });
} else {
Params => $r->_chain_params() });
} else {
+ $r->_db_revoke($parmv);
return ({ Kind => 'LOGIN-FRESH',
Message => "You need to log in again.",
return ({ Kind => 'LOGIN-FRESH',
Message => "You need to log in again.",
- CookieVal => $
parm
v,
+ CookieVal => $
new
v,
Params => { } });
}
}
Params => { } });
}
}
@@
-620,6
+627,14
@@
sub url_with_query_params ($$) {
return $uri->as_string();
}
return $uri->as_string();
}
+sub _cgi_header_args ($$@) {
+ my ($r, $cookie, @ha) = @_;
+ unshift @ha, qw(-type text/html);
+ push @ha, (-cookie => $cookie) if defined $cookie;
+ print STDERR "_cgi_header_args ",join('|',@ha),".\n";
+ return @ha;
+}
+
sub check_ok ($) {
my ($r) = @_;
sub check_ok ($) {
my ($r) = @_;
@@
-632,6
+647,7
@@
sub check_ok ($) {
my $kind = $divert->{Kind};
my $cookieval = $divert->{CookieVal};
my $params = $divert->{Params};
my $kind = $divert->{Kind};
my $cookieval = $divert->{CookieVal};
my $params = $divert->{Params};
+ my $cookie = $r->construct_cookie($cookieval);
if ($kind =~ m/^REDIRECT-/) {
# for redirects, we honour stored NextParams and SetCookie,
if ($kind =~ m/^REDIRECT-/) {
# for redirects, we honour stored NextParams and SetCookie,
@@
-645,7
+661,6
@@
sub check_ok ($) {
die;
}
my $new_url = $r->url_with_query_params($params);
die;
}
my $new_url = $r->url_with_query_params($params);
- my $cookie = $r->construct_cookie($r, $cookieval);
$r->_ch('do_redirect',$new_url, $cookie);
return 0;
}
$r->_ch('do_redirect',$new_url, $cookie);
return 0;
}
@@
-663,8
+678,9
@@
sub check_ok ($) {
die $kind;
}
die $kind;
}
- $r->_print($r->_ch('gen_start_html',$title),
- @body,
+ $r->_print($r->{Cgi}->header($r->_cgi_header_args($cookie)),
+ $r->_ch('gen_start_html',$title),
+ (join "\n", @body),
$r->_ch('gen_end_html'));
return 0;
}
$r->_ch('gen_end_html'));
return 0;
}
@@
-681,11
+697,14
@@
sub _random ($$) {
$!=0;
read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
close $rsf;
$!=0;
read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
close $rsf;
- return unpack "H*", $bin;
+ my $out = unpack "H*", $bin;
+ print STDERR "_random out $out\n";
+ return $out;
}
sub _fresh_cookie ($) {
my ($r) = @_;
}
sub _fresh_cookie ($) {
my ($r) = @_;
+ print STDERR "_fresh_cookie\n";
my $bytes = ($r->{S}{associdlen} + 7) >> 3;
return $r->_random($bytes);
}
my $bytes = ($r->{S}{associdlen} + 7) >> 3;
return $r->_random($bytes);
}