chiark
/
gitweb
/
~ian
/
cgi-auth-flexible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
wip
[cgi-auth-flexible.git]
/
cgi-auth-hybrid.pm
diff --git
a/cgi-auth-hybrid.pm
b/cgi-auth-hybrid.pm
index 4f74cded4fe0e89a99f258640757b1cc4f03e000..21a8fb523e875ef82339283e2de05542ca332edf 100644
(file)
--- a/
cgi-auth-hybrid.pm
+++ b/
cgi-auth-hybrid.pm
@@
-37,9
+37,11
@@
BEGIN {
our @EXPORT_OK;
use DBI;
our @EXPORT_OK;
use DBI;
-use CGI;
+use CGI
qw/escapeHTML/
;
use Locale::gettext;
use URI;
use Locale::gettext;
use URI;
+use IO::File;
+use Data::Dumper;
#---------- public utilities ----------
#---------- public utilities ----------
@@
-90,11
+92,9
@@
sub login_ok_password ($$) {
sub do_redirect_cgi ($$$$) {
my ($c, $r, $new_url, $cookie) = @_;
sub do_redirect_cgi ($$$$) {
my ($c, $r, $new_url, $cookie) = @_;
- my @ha = ('text/html',
- -status => '303 See other',
- -location => $new_url);
- push @ha, (-cookie => $cookie) if defined $cookie;
- $r->_print($c->header(@ha),
+ $r->_print($c->header($r->_cgi_header_args($cookie,
+ -status => '303 See other',
+ -location => $new_url)),
$r->_ch('gen_start_html',$r->_gt('Redirection')),
'<a href="'.escapeHTML($new_url).'">',
$r->_gt("If you aren't redirected, click to continue."),
$r->_ch('gen_start_html',$r->_gt('Redirection')),
'<a href="'.escapeHTML($new_url).'">',
$r->_gt("If you aren't redirected, click to continue."),
@@
-106,20
+106,20
@@
sub gen_plain_login_form ($$) {
my ($c,$r, $params) = @_;
my @form;
push @form, ('<form method="POST" action="'.
my ($c,$r, $params) = @_;
my @form;
push @form, ('<form method="POST" action="'.
- escapeHTML($r->_ch('get_url')).'>'.
+ escapeHTML($r->_ch('get_url')).'
"
>'.
'<table>');
my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
foreach my $up (@{ $r->{S}{username_param_names}}) {
push @form, ('<tr><td>',$r->_gt(ucfirst $up),'</td>',
'<table>');
my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
foreach my $up (@{ $r->{S}{username_param_names}}) {
push @form, ('<tr><td>',$r->_gt(ucfirst $up),'</td>',
- '<td><input type="text" '
,
$sz.
- ' name='
,$up,
'></td></tr>');
+ '<td><input type="text" '
.
$sz.
+ ' name='
.$up.
'></td></tr>');
}
push @form, ('<tr><td>'.$r->_gt('Password'),'</td>',
'<td><input type="password" '.$sz.
' name="'.$r->{S}{password_param_name}.'"></td></tr>');
push @form, ('<tr><td colspan="2">',
'<input type="submit"'.
}
push @form, ('<tr><td>'.$r->_gt('Password'),'</td>',
'<td><input type="password" '.$sz.
' name="'.$r->{S}{password_param_name}.'"></td></tr>');
push @form, ('<tr><td colspan="2">',
'<input type="submit"'.
- ' name="'.$r->{S}{login_submit_name}.'"'.
+ ' name="'.$r->{S}{login_submit_name}
[0]
.'"'.
' value="'.$r->_gt('Login').'"></td></tr>',
'</table>');
foreach my $n (keys %$params) {
' value="'.$r->_gt('Login').'"></td></tr>',
'</table>');
foreach my $n (keys %$params) {
@@
-154,6
+154,7
@@
sub new_verifier {
associdlen => 128, # bits
login_timeout => 86400, # seconds
assoc_param_name => 'cah_associd',
associdlen => 128, # bits
login_timeout => 86400, # seconds
assoc_param_name => 'cah_associd',
+ cookie_name => "cah_associd",
password_param_name => 'password',
username_param_names => [qw(username)],
form_entry_size => 60,
password_param_name => 'password',
username_param_names => [qw(username)],
form_entry_size => 60,
@@
-176,12
+177,13
@@
sub new_verifier {
do_redirect => \&do_redirect_cgi, # this hook is allowed to throw
cookie_path => "/",
get_cookie_domain => \&get_cookie_domain,
do_redirect => \&do_redirect_cgi, # this hook is allowed to throw
cookie_path => "/",
get_cookie_domain => \&get_cookie_domain,
- encrypted_only =>
0
,
+ encrypted_only =>
1
,
gen_start_html => sub { $_[0]->start_html($_[2]); },
gen_end_html => sub { $_[0]->end_html(); },
gen_login_form => \&gen_plain_login_form,
gen_login_link => \&gen_plain_login_link,
gettext => sub { gettext($_[2]); },
gen_start_html => sub { $_[0]->start_html($_[2]); },
gen_end_html => sub { $_[0]->end_html(); },
gen_login_form => \&gen_plain_login_form,
gen_login_link => \&gen_plain_login_link,
gettext => sub { gettext($_[2]); },
+ print => sub { print $_[2] or die $!; },
},
Dbh => undef,
};
},
Dbh => undef,
};
@@
-238,26
+240,26
@@
sub _db_transaction ($$) {
my $retries = 10;
my $rv;
my $dbh = $v->{Dbh};
my $retries = 10;
my $rv;
my $dbh = $v->{Dbh};
-
#
print STDERR "DT entry\n";
+print STDERR "DT entry\n";
for (;;) {
for (;;) {
-
#
print STDERR "DT loop\n";
+print STDERR "DT loop\n";
if (!eval {
$rv = $fn->();
if (!eval {
$rv = $fn->();
-
#
print STDERR "DT fn ok\n";
+print STDERR "DT fn ok\n";
1;
}) {
1;
}) {
-
#
print STDERR "DT fn error\n";
+print STDERR "DT fn error\n";
{ local ($@); $dbh->rollback(); }
{ local ($@); $dbh->rollback(); }
-
#
print STDERR "DT fn throwing\n";
+print STDERR "DT fn throwing\n";
die $@;
}
die $@;
}
-
#
print STDERR "DT fn eval ok\n";
+print STDERR "DT fn eval ok\n";
if (eval {
$dbh->commit();
print STDERR "DT commit ok\n";
1;
}) {
if (eval {
$dbh->commit();
print STDERR "DT commit ok\n";
1;
}) {
-print STDERR "DT commit eval ok\n";
+print STDERR "DT commit eval ok
$rv
\n";
return $rv;
}
print STDERR "DT commit throw?\n";
return $rv;
}
print STDERR "DT commit throw?\n";
@@
-287,6
+289,7
@@
sub new_request {
sub _ch ($$@) { # calls an application hook
my ($r,$methname, @args) = @_;
my $methfunc = $r->{S}{$methname};
sub _ch ($$@) { # calls an application hook
my ($r,$methname, @args) = @_;
my $methfunc = $r->{S}{$methname};
+ die "$methname ?" unless $methfunc;
return $methfunc->($r->{Cgi}, $r, @args);
}
return $methfunc->($r->{Cgi}, $r, @args);
}
@@
-303,14
+306,15
@@
sub construct_cookie ($$$) {
my ($r, $cookv) = @_;
return undef unless $cookv;
my $c = $r->{Cgi};
my ($r, $cookv) = @_;
return undef unless $cookv;
my $c = $r->{Cgi};
-
my $cookt = $c->cookie
(-name => $r->{S}{cookie_name},
+
my @ca =
(-name => $r->{S}{cookie_name},
-value => $cookv,
-path => $r->{S}{cookie_path},
-domain => $r->_ch('get_cookie_domain'),
-expires => '+'.$r->{S}{login_timeout}.'s',
-secure => $r->{S}{encrypted_only});
-value => $cookv,
-path => $r->{S}{cookie_path},
-domain => $r->_ch('get_cookie_domain'),
-expires => '+'.$r->{S}{login_timeout}.'s',
-secure => $r->{S}{encrypted_only});
-print STDERR "CC $r $c $cookv $cookt\n";
- return $cookt;
+ my $cookie = $c->cookie(@ca);
+print STDERR "CC $r $c $cookv $cookie (@ca).\n";
+ return $cookie;
}
# pages/param-sets are
}
# pages/param-sets are
@@
-328,7
+332,7
@@
print STDERR "CC $r $c $cookv $cookt\n";
# y, yN value corresponds to logged-in user
# n, nN value not in our db
# x, xN t or y
# y, yN value corresponds to logged-in user
# n, nN value not in our db
# x, xN t or y
-# - no value supplied
+# - no value supplied
(represented in code as $cookt='')
# if N differs the case applies only when the two values differ
# (eg, a1 y2 does not apply when the logged-in value is supplied twice)
# if N differs the case applies only when the two values differ
# (eg, a1 y2 does not apply when the logged-in value is supplied twice)
@@
-407,8
+411,9
@@
print STDERR "CC $r $c $cookv $cookt\n";
# revoke y2
# treat as -/n n POST
#
# revoke y2
# treat as -/n n POST
#
- # -/n
n
GET n cross-site link but user not logged in
+ # -/n
-/n
GET n cross-site link but user not logged in
# show login form with redirect to orig params
# show login form with redirect to orig params
+ # generate fresh cookie
#
# -/n n GET rmu user not logged in
# fail
#
# -/n n GET rmu user not logged in
# fail
@@
-429,6
+434,8
@@
sub _check_divert_core ($) {
my ($cookt,$cooku) = $r->_db_lookup($cookv);
my $parmt = $r->_db_lookup($parmv);
my ($cookt,$cooku) = $r->_db_lookup($cookv);
my $parmt = $r->_db_lookup($parmv);
+ print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n";
+
if ($r->_ch('is_logout')) {
$r->_must_be_post();
die unless $parmt;
if ($r->_ch('is_logout')) {
$r->_must_be_post();
die unless $parmt;
@@
-489,15
+496,17
@@
sub _check_divert_core ($) {
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
+ my $newv = $r->_fresh_cookie();
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
Message => "You need to log in again.",
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
Message => "You need to log in again.",
- CookieVal => $
parm
v,
+ CookieVal => $
new
v,
Params => $r->_chain_params() });
} else {
Params => $r->_chain_params() });
} else {
+ $r->_db_revoke($parmv);
return ({ Kind => 'LOGIN-FRESH',
Message => "You need to log in again.",
return ({ Kind => 'LOGIN-FRESH',
Message => "You need to log in again.",
- CookieVal => $
parm
v,
+ CookieVal => $
new
v,
Params => { } });
}
}
Params => { } });
}
}
@@
-519,6
+528,7
@@
sub _check_divert_core ($) {
die unless $cookv eq $parmv;
$r->{Assoc} = $cookv;
$r->{UserOK} = $cooku;
die unless $cookv eq $parmv;
$r->{Assoc} = $cookv;
$r->{UserOK} = $cooku;
+ print STDERR "C-D-C OK\n";
return undef;
}
return undef;
}
@@
-587,14
+597,14
@@
sub _db_record_login_ok ($$$) {
sub check_divert ($) {
my ($r) = @_;
sub check_divert ($) {
my ($r) = @_;
- my $divert;
if (exists $r->{Divert}) {
return $r->{Divert};
}
my $dbh = $r->{Dbh};
$r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); });
$dbh->commit();
if (exists $r->{Divert}) {
return $r->{Divert};
}
my $dbh = $r->{Dbh};
$r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); });
$dbh->commit();
- return $divert;
+ print STDERR Dumper($r->{Divert});
+ return $r->{Divert};
}
sub get_divert ($) {
}
sub get_divert ($) {
@@
-617,6
+627,14
@@
sub url_with_query_params ($$) {
return $uri->as_string();
}
return $uri->as_string();
}
+sub _cgi_header_args ($$@) {
+ my ($r, $cookie, @ha) = @_;
+ unshift @ha, qw(-type text/html);
+ push @ha, (-cookie => $cookie) if defined $cookie;
+ print STDERR "_cgi_header_args ",join('|',@ha),".\n";
+ return @ha;
+}
+
sub check_ok ($) {
my ($r) = @_;
sub check_ok ($) {
my ($r) = @_;
@@
-629,6
+647,7
@@
sub check_ok ($) {
my $kind = $divert->{Kind};
my $cookieval = $divert->{CookieVal};
my $params = $divert->{Params};
my $kind = $divert->{Kind};
my $cookieval = $divert->{CookieVal};
my $params = $divert->{Params};
+ my $cookie = $r->construct_cookie($cookieval);
if ($kind =~ m/^REDIRECT-/) {
# for redirects, we honour stored NextParams and SetCookie,
if ($kind =~ m/^REDIRECT-/) {
# for redirects, we honour stored NextParams and SetCookie,
@@
-642,7
+661,6
@@
sub check_ok ($) {
die;
}
my $new_url = $r->url_with_query_params($params);
die;
}
my $new_url = $r->url_with_query_params($params);
- my $cookie = $r->construct_cookie($r, $cookieval);
$r->_ch('do_redirect',$new_url, $cookie);
return 0;
}
$r->_ch('do_redirect',$new_url, $cookie);
return 0;
}
@@
-660,9
+678,10
@@
sub check_ok ($) {
die $kind;
}
die $kind;
}
- $r->_print($r->_ch('start_html',$title),
- @body,
- $r->_ch('end_html'));
+ $r->_print($r->{Cgi}->header($r->_cgi_header_args($cookie)),
+ $r->_ch('gen_start_html',$title),
+ (join "\n", @body),
+ $r->_ch('gen_end_html'));
return 0;
}
return 0;
}
@@
-678,11
+697,14
@@
sub _random ($$) {
$!=0;
read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
close $rsf;
$!=0;
read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
close $rsf;
- return unpack "H*", $bin;
+ my $out = unpack "H*", $bin;
+ print STDERR "_random out $out\n";
+ return $out;
}
sub _fresh_cookie ($) {
my ($r) = @_;
}
sub _fresh_cookie ($) {
my ($r) = @_;
+ print STDERR "_fresh_cookie\n";
my $bytes = ($r->{S}{associdlen} + 7) >> 3;
return $r->_random($bytes);
}
my $bytes = ($r->{S}{associdlen} + 7) >> 3;
return $r->_random($bytes);
}
@@
-716,9
+738,9
@@
sub secret_hidden_html ($) {
sub secret_cookie ($) {
my ($r) = @_;
sub secret_cookie ($) {
my ($r) = @_;
-print STDERR "SC\n";
+
#
print STDERR "SC\n";
my $cookv = $r->construct_cookie($r->secret_val());
my $cookv = $r->construct_cookie($r->secret_val());
-print STDERR "SC=$cookv\n";
+
#
print STDERR "SC=$cookv\n";
return $cookv;
}
return $cookv;
}