X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=caf.pod;h=32b7e4dca766ae883fa4c1aa0d3dc5bf9eb5d852;hp=673aeeeef9ef0e57294ad647f244673d634b0924;hb=97c2fa3d6cdfd43da1a3637a5c317dcd45e714f7;hpb=c77a9acbbf28f50a907e9de62bd1494ce9ea5a0e diff --git a/caf.pod b/caf.pod index 673aeee..32b7e4d 100644 --- a/caf.pod +++ b/caf.pod @@ -7,7 +7,7 @@ CGI::Auth::Flexible - web authentication optionally using cookies =head1 SYNOPSYS my $verifier = CGI::Auth::Flexible->new_verifier(setting => value,...); - my $authreq = $verifier->new_request($cgi_query_object); + my $authreq = $verifier->new_request($cgi); # simple applications $authreq->check_ok() or return; @@ -68,7 +68,13 @@ honour the return value. =item * If you're using C, implement either the -C or C hook. +C or C hook and provide it as +a setting to C. + +=item * + +Provide the setting C (or provide absolute paths for all the +other relevant settings). =item * @@ -96,6 +102,11 @@ B: If you do not override the source provision facility (see L), check that the assumptions it makes aren't going to leak security-critical data. +=item * + +Set up HTTPS on your webserver, or set the C setting +to a false value. + =back These points will now be covered in more detail. @@ -109,9 +120,18 @@ This call can be expensive and is best amortised. The resulting verifier object can be used to process individual requests, in each case with -C<< $authreq = CGI::Auth::Flexible->new_request($cgi_query) >>. +C<< $authreq = CGI::Auth::Flexible->new_request($cgi) >>. + +See L. -=head2 RESPONSES - SIMPLE APPLICATIONS +=head2 CHECKING AND RESPONSE GENERATION + +If the user is logged in, your application is to handle the request. +Otherwise, the user needs to be presented with a login form or error +message, as appropriate. CGI::Auth::Flexible provides two alternative +interfaces for this: + +=head3 Simple applications The simplist usage is to call C<< $request->check_ok() >> which will check the user's authentication. If the user is not logged in it will @@ -126,15 +146,18 @@ After C returns true you should go ahead and process the request; you can use C<< $request->get_username >> to find out which user the request came from. -=head2 RESPONSES - SOPHISTICATED APPLICATIONS +=head2 Sophisticated applications If you want to handle the control flow and to generate login forms, redirections, etc., yourself, you can say C<< $divert = $request->check_divert >>. This returns undef if the user is logged in, or I if some kind of login -page or diversion should be generated. +page or diversion should be generated. See L below for +details of how to deal with the return value. -=head2 MUTATING OPERATIONS AND EXTERNAL LINKS - MUTATION-IGNORANT APPLICATIONS +=head2 MUTATING OPERATIONS AND EXTERNAL LINKS + +=head3 Mutation-ignorant applications By default CGI::Auth::Flexible does not permit external links into your site. All GET requests give a "click to continue" page which @@ -146,7 +169,7 @@ in the web's security architecture. Such applications are also not able to provide user-specific CSS stylesheets, javascript, favicons, etc. -=head2 MUTATING OPERATIONS AND EXTERNAL LINKS - MUTATION-AWARE APPLICATIONS +=head3 Mutation-aware applications The alternative is for your application to always make a special check when the incoming request is going to do some kind of action (such as @@ -222,6 +245,12 @@ will die, stopping the attack. (You do not need to call C for POST requests, but it is harmless to do so.) +=head3 Mutation-aware applications - novel kinds of request + +If you want to support a kind of request perhaps not yet known about +by CGI::Auth::Flexible, you can provide information about that new +request kind using C. + =head2 DATA STORAGE CGI::Auth::Flexible needs to store various information in plain files; @@ -268,7 +297,7 @@ C. See C. For each source item in a dvcs, the entire dvcs history does not contain anything confidential (or libellous). Also, all files which -contain secrets are in the dvcs's C<.ignore> file. See +contain secrets are in the dvcs's I<.ignore> file. See C et al. =item * @@ -302,15 +331,15 @@ Initialises an instance and returns a verifier object. The arguments are setting pairs like a hash initialiser. See L below. -=item C<< $verifier->new_request($cgi_query) >> +=item C<< $verifier->new_request($cgi) >> -Prepares to process a request. C<$cgi_query> should normally +Prepares to process a request. I<$cgi> should normally be the query object from L. Most of the default hook methods assume that it is; however if you replace enough of the hook methods then you can pass any value you like and it will be passed to your hooks. -The return value is the authentication request object (C<$authreq>) +The return value is the authentication request object (I<$authreq>) which is used to check the incoming request and will contain information about its credentials. @@ -337,3 +366,560 @@ the application should not process the request further. Discards the resources (open files, etc.) in the verifier object. =back + +=head REQUEST-RELATED FUNCTIONS AND METHODS + +All of these are only valid after C or C has +been called. (In the case of C it won't normally be sensible +to call these functions unless C returned true.) + +=item C<< $authreq->get_divert() >> + +Returns the value previously returned by C. + +=item C<< $authreq->get_username() >> + +Returns the name of the logged-in user. If the user was not logged +in (or their session had timed out, or something), returns undef. + +=item C<< $authreq->check_mutate() >> + +Declares to CGI::Auth::Generic that the request being handled will +"mutate". That is, it will modify some server-side state (eg, adding +items to shopping baskets, posting messages to blogs, sending emails, +or whatever). + +If you have set the setting C you must call +C whenever appropriate. If you haven't then it's +irrelevant. See L. + +C will either return successfully, indicating that all +is well and the request should proceed, or it will die. If it dies +that means that the request was improper, which can only result from a +bug or an attack. So an "internal server error" is a suitable +response. + +=item C<< $authreq->check_nonpage($method, $reqtype) >> + +Declares to CGI::Auth::Generic that the request is not a page request, +but rather a request of type I<$reqtype>. + +If your application has set the setting C, +whenever it is handling anything except an HTML page loads, it must +call this function. See L, and +L. + +C will either return successfully, indicating that all +is well and the request should proceed, or it will die, like +C. + +=head RESPONSE-RELATED FUNCTIONS AND METHODS + +=item C<< $authreq->url_with_query_params($params, [$nonpagetype]) >> + +Convenience function which returns a url for a GET request to this +application. + +I<$params> is a hashref specifying the parameters and the PATH_INFO. +The keys are the parameter names, and the values are array refs with +the parameter value(s) (as strings, as yet unquoted). (They are array +refs because it is possible to pass multiple values for the same +parameter in a single request; normally each arrayref would be a +singleton.) + +The request path will be the path to the application. If a parameter +with name C<< '' >> is supplied, it is taken as the PATH_INFO - its +value will be appended to the application path. (It should normally +start with C<< / >>, and only one value should be supplied.) + +=item C<< something->need_add_hidden($method, $reqtype) >> + +Enquires whether a request of type I<$reqtype> using HTTP method +I<$method> needs the hidden form parameter. See L. + +=item C<< something->secret_hidden_val() >> + +Returns the value of the hidden form parameter. This should be +included in all POST requests to your application (and thus be a +hidden form parameter in all forms). + +It should also be in some (maybe all) GET requests. If your +application is mutation-ignorant, it should be in all GET requests. +If you are mutation-aware, you need to consult C. + +The name of the hidden parameter is the setting C, +C by default. xxx rename param and setting + +=item C<< something->secret_hidden_html() >> + +Returns the HTML for an C element specifying the hidden form +parameter. + +=item C<< something->secret_cookie_val() >> + +Returns the value of the secret cookie. CGI::Auth::Flexible sets this +cookie in the forms generated by C. You may also set it +yourself (and indeed you must do so if you use C). + +=item C<< $authreq->chain_params() >> + +Returns a hash of the "relevant" parameters to this request, in a form +used by XXX. This is all of the query parameters which are not +related to CGI::Auth::Flexible. The PATH_INFO from the request is +returned as the parameter C<< '' >>. + +xxx why use this function + +=back + +=head OTHER FUNCTIONS AND METHODS + +=over + +=item C<< $verifier_or_authreq->hash($data) >> + +Hashes the supplied data using the hash function specified by the +C setting, and converts the result to a string of hex +digits. + +=item C<< something->update_get_need_add_hidden($reqtype, $value, [$force]) >> + +Updates CGI::Auth::Generic's knowledge about the various kinds of +request, and whether they need the hidden form parameter. This +function applies only to GET requests - POST requests always use the +parameter. + +I<$reqtype> is the request type (the value which will be passed to +C and C. If you are supporting a new +I<$reqtype> you shouuld coordinate with CGI::Auth::Flexible upstrea, +or other users, to assign a unique request type name. + +This method may be called on an authreq or a verifier, in which case +it will affect all authreqs using the same verifier. Or it may be +called on the class as a whole, in which case it will affect the +global default list for all verifiers. + +If I<$force> is supplied and true, this will override +CGI::Auth::Flexible's existing knowledge. Otherwise this new setting +will be ignored if CGI::Auth::Flexible already knows about the request +type. (When called on a verifier or authreq, it will ignore the +update in favour of existing knowledge recorded both globally in the +class or due to previous requests on the same verifier.) + +See L. + +=item C<< $verifier_or_authreq->($data) | CGI::Auth::Flexible->>> + +Hashes the supplied data using the hash function specified by the +C setting, and converts the result to a string of hex +digits. + +=back + +=head1 SETTINGS + +C and C each take a list of settings, as +a list of pairs C<< key => value >> (like a Perl hash assignment). + +The settings supplied to C are stored in the verifier +and will apply to all authreqs made from it unless overridden in the +call to C + +When a setting is described as a hook function, it should be a +coderef. The first argument will be the query object from +L (strictly, it will be whatever value was passed to +C). The second argument will be the authreq object (the +return value from C). +Ie, C<< sub some_hook ($$...) { my ($cgi,$authreq,@stuff) = @_ ... >> + +In bullet point headings, the hook functions are shown in the form +C<< some_hook($cgi,$authreq,@stuff) >> even though this would not be +legal syntax. This should be read to mean that the +%implicit_settings_hash{'some_hook'}($cgi,$authreq,@stuff) +would be a legal call. (However, the settings hash is not exposed.) + +=over + +=head2 GENERAL SETTINGS + +=item C + +The directory CGI::Auth::Generic should use for its data storage. +This is actually just a default absolute path used when the other +path settings are relative values. + +Must be an absolute filename. + +=item C + +CGI::Auth::Flexible needs a database for recording users' login +session. This database needs to be shared across all instances of the +web application, so in a multi-node cluster it needs to be your actual +database. + +CGI::Auth::Flexible will create the table and index it needs if they +don't already exist, and will manage their contents. You do not need +to integrate them into the rest of your webapp's data storage. (In +particular, there is no need for transactional integrity across +changes made by CAF and your own application.) + +By default, CAF uses a sqlite3 database stored on local disk in the +file named by C. This will be suitable for all +applications which run on a single host. + +This value, if supplied, should be a DBI handle for the database. + +=item C + +This is the DSN to pass to C<< DBI->connect >>. Used only if +C is not supplied. + +=item C + +Path to the sqlite3 database used for CAF's session storage. The +default is currently C but will change in the future. + +Used only if neither C or C are supplied. + +If this is a relative path, it is in C. + +=item C + +Prefix for the SQL tables and indices to use (and to create, if +necessary). + +See L. + +=item C + +Path to the keys file used by CAF. This arrangement will change in +the future. See L. + +=item C + +Special file to read random numbers from. Should return +cryptographically secure (pseudo)-random bytes, unpredictable to +adversaries (even ones on the same machine). + +On Linux, there is no device which is properly suitable. This is a +bug in Linux. You can use C which can block +unnecessarily even though the kernel PRNG has been properly seeded and +is fine, or C which might return values which attackers +can predict if the kernel PRNG has not been properly seeded. + +The default is C. + +=item C + +Length of the assoc secret. Defaults to 128. + +=item C + +Must be a string suitable for use with C. +Defaults to C. + +=item C + +A user will be logged out this many seconds after they first logged +in. Default: 86400 (one day). + +=item C + +A login form becomes invalid this many seconds after it has been sent. +Default: 3600 seconds (one hour). + +=item C + +The key used for generating assoc secrets is rolled over approximately +this often (in seconds). Default: 86400. + +=item C + +Name of the hidden form parameter. Default: C. + +=item C + +Name of the cookie used for login sessions. Default: +C. + +=item C + +Name of the password field in the login form. Default: C. + +Used by C (the default C hook), +C and the default C hook. + +=item C + +Arrayref of name(s) of username form parameters. + +The first entry is used by C (the default +C hook) to pass to the C hook and +used as the username if all is well. + +All the entries are used by C (the default +C hook for C) to generate form entry fields. + +The default is C<['username']>. + +=item C + +Arrayref of name(s) of form parameters indicating that the request is +a logout request. + +Used by the default C hook. + +If you want users to be able to explicitly log out, you need to +provide a logout button, something like +C<< > + +The default is C<['caf_logout']> + +=item C + +Arrayref of name(s) of form parameters indicating that user has just +logged out. (During the logout process, the actual logout action is a +POST request, whose response redirects to the "you have been logged +out" page; these form parameters are for this second page.) + +Used by the default C hook. + +The first entry is used by C to generate the redirection. + +The default is C<['caf_loggedout']> + +=item C + +Boolean. If true, is a declaration by the application that it is +mutatin-aware. See L. + +The default is 0. + +=item C + +Boolean. If true, CAF will insist that all transactions be done over +an encrypted http connection. It will redirect unencrypted requests +to the https instance of the applicattion, and will set the encrypted +only flag on its cookie. + +The default is 1. + +=back + +=item C<< get_url($cgi,$authreq) >> + +Hook which returns the URL of this web application. By default, we +call C<< $cgi->url() >> for each request, but you can fix this if you +prefer. + +=item C<< is_login,is_logout,is_loggedout($cgi,$authreq) >> + +Hook which returns a boolean indicating whether the request was, +respectively: a login form submission (ie, username and password); a +logout request (submission resulting from the user pressing the +"logout" button); "logged out" page (redirection from the logout +POST). + +The default is to check whether any of the corresponding request +parameters (C<< login_param_names >> etc.) was supplied, using the +C hook. + +=back + +=head2 SETTINGS (HOOKS) RELATED TO THE CGI REQUEST OBJECT + +=over + +=item C<< get_param($cgi,$authreq,$param) >> + +Returns the value of a single-valued form parameter. +The default is to call C<< $cgi->param($param) >>. +The semantics are the same as that of C. + +=item C<< get_params($cgi,$authreq) >> + +Returns a hash of the parameters. The return value is a hashref whose +keys are the parameter names and whose values are arrayrefs, one entry +in the arrayref for each value. + +The default is to call C<< $cgi->Vars() >>, expect the +results to look like those from C, and massage them into +the required form with split. + +=item C<< get_path_info($cgi,$authreq) >> + +Returns the PATH_INFO of the request. The default is to +call C<< $cgi->path_info() >>. + +=item C<< get_cookie($cgi,$authreq) >> + +Returns the value of the CAF cookie sent with the request, or undef if +none was supplied. The default is to call C<< +$cgi->cookie($cookie_name) >> (where C<$cookie_name> is from the +setting of the same name). The return value should be the scalar +value of the cookie. + +=item C<< get_method($cgi,$authreq) >> + +Returns the HTTP method as a string. The default is to call +C<< $cgi->request_method() >>. + +=back + +=item C<< is_https($cgi,$authreq) >> + +Returns a boolean indicating whether the request was over an encrypted +channel. The default is C<< !!$cgi->https() >>. See C. + +=back + +=head2 SETTINGS RELATED TO HTML GENERATION + +These are only used if you call C or xxx some other functions?. + +Settings whose names are of the form C are hooks which each +return an array of strings, normally HTML strings, for use by +C (or, in turn, other hooks, or your application). These +are often documented simply by showing the output produced. In many +cases parts of the output are in turn obtained from other hooks. In +some cases the default implementations have been given names for +convenient use by your application. They will be called in array +context. + +We'll write C even though actually there is a hook +to control the translation function used. + +=over + +=item C($cgi,$authreq,$divert)) + +C calls this hook before producing output of its own. If +you want to handle some but not all diversions yourself, you may set +this hook. The hook should either do nothing and return false, or +return true if it has handled the request (or arrange for the request +to be handled). If the hook returns true then C simply +returns 0. + +=item C($cgi,$authreq,$divert)) + +Default: a table (used mostly for layout) containing input fields for +a login form. Must be within a C<<
>> element, but doesn't +generate it. Has text fields for every entry in +C (in each case associated with a description +C<< gettext(ucfirst $parameter_name) >>, a password field (with +description C, and a login submit button (with +description C. + +Default is available as the class function C. + +=item C($cgi,$authreq)) + +Default: + + gettext(Log in again to continue.) + +Default is available as the class function C. + +=item C($cgi,$authreq,$params)) + +Default: form contents (but not the C<< >> element): + +C<$params> (in the form returned by the C hook) as hidden +fields, and also: + + + +Default is available as the class function C. + +=item C($cgi,$authreq,$title) + +Default: C<$cgi->start_html($title)> + +=item C($cgi,$authreq,$title) + +Default: C<$cgi->end_html($title)> + +=item C($cgi,$authreq)> + +Default: + +
+ Powered by Free / Libre / Open Source Software + according to the [gen_licence_link_html]. + [gen_source_link_html]. +
+ +Default is available as the class function C. + +=item C($cgi,$authreq)> + +Default: uses C to generate a URL for +downloading the licence, and returns: + GNU Affero GPL + +Default is available as the class function C. + +=item C($cgi,$authreq)> + +Default: uses C to generate a URL for +downloading the source, and returns: + Source available + +Default is available as the class function C. + +=item C + +Size of generated text entry fields. Default is 60. + +=item C + +Some of CAF's HTML-generating functions need to invent form parameter +names. They will all start with this string. Default: C. + +=head2 SETTINGS FOR SOURCE CODE DOWNLOAD FACILITY + +=over + +=item C + +Form parameter name used to indicate that this is a source download +request. If this parameter is supplied, C and +C will arrange for the applicaton source code to be +delivered as the response (in C's case by doing it itself +and in C's case by asking your application to do so. + +Default is C. + +=item C + +Path to the directory used for storing pre-prepared source downloads. +Defaults to C. + +If this is a relative path, it is in C. + +=back + + +=head1 DATABASE TABLES + +In a simple application, you do not need to worry about this. But if +your application runs on multiple frontend hosts with a shared +database, you may need to create for yourself the tables and indices +used by CGI::Auth::Flexible. + +xxx document _db_setup_do +xxx make _db_setup_do explicitly overrideable + + +xxx divert spec +xxx reqtype +xxx settings +xxx html generators +xxx document cookie + +xxx bugs wrong default random on Linux +xxx bugs wrong default random on *BSD +xxx bugs keys not shared should be in db +xxx rename caf-assocs.db +xxx rename caf_assocsecret default cookie name +xxx mention relationship between login_timeout and cookies