X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=cgi-auth-flexible.pm;h=382b845ddc0c45016c9b004fac989b374659f2eb;hp=e5b89244476da131f03615daf19a367b6c12c0ac;hb=c8a519df1b5ed6607a02be9394bf9c80bb06840d;hpb=031ab04359164ef2e3d311e61637491479e6098d;ds=sidebyside
diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm
index e5b8924..382b845 100644
--- a/cgi-auth-flexible.pm
+++ b/cgi-auth-flexible.pm
@@ -18,7 +18,7 @@
# along with this program. If not, see .
use strict;
-use warnings;
+use warnings FATAL => 'all';
package CGI::Auth::Flexible;
require Exporter;
@@ -92,7 +92,8 @@ sub login_ok_password ($$) {
my $username_params = $r->{S}{username_param_names};
my $username = $r->_ch('get_param',$username_params->[0]);
my $password = $r->_rp('password_param_name');
- return $r->_ch('username_password_ok', $username, $password);
+ return undef unless $r->_ch('username_password_ok', $username, $password);
+ return $username;
}
sub do_redirect_cgi ($$$$) {
@@ -104,39 +105,63 @@ sub do_redirect_cgi ($$$$) {
'',
$r->_gt("If you aren't redirected, click to continue."),
"",
- $c->_ch('gen_end_html'));
+ $r->_ch('gen_end_html'));
}
-sub gen_plain_login_form ($$) {
- my ($c,$r, $params) = @_;
+sub gen_some_form ($$) {
+ my ($r, $params, $bodyfn) = @_;
+ # Calls $bodyfn->($c,$r) which returns @formbits
+ my $c = $r->{Cgi};
my @form;
push @form, ('');
return join "\n", @form;
}
-sub gen_login_link ($$) {
+sub gen_plain_login_form ($$) {
+ my ($c,$r, $params) = @_;
+ return $r->gen_some_form($params, sub {
+ my @form;
+ push @form, ('');
+ return @form;
+ });
+}
+
+sub gen_postmainpage_form ($$$) {
+ my ($c,$r, $params) = @_;
+ return $r->gen_some_form($params, sub {
+ my @form;
+ push @form, ('');
+ return @form;
+ });
+}
+
+sub gen_plain_login_link ($$) {
my ($c,$r, $params) = @_;
my $url = $r->url_with_query_params($params);
return (''.
@@ -164,6 +189,7 @@ sub new_verifier {
login_form_timeout => 3600, # seconds
key_rollover => 86400, # seconds
assoc_param_name => 'caf_assochash',
+ dummy_param_name => 'caf_dummy',
cookie_name => "caf_assocsecret",
password_param_name => 'password',
username_param_names => [qw(username)],
@@ -192,6 +218,7 @@ sub new_verifier {
gen_end_html => sub { $_[0]->end_html(); },
gen_login_form => \&gen_plain_login_form,
gen_login_link => \&gen_plain_login_link,
+ gen_postmainpage_form => \&gen_postmainpage_form,
gettext => sub { gettext($_[2]); },
print => sub { print $_[2] or die $!; },
},
@@ -278,7 +305,7 @@ print STDERR "DT fn eval ok\n";
print STDERR "DT commit ok\n";
1;
}) {
-print STDERR "DT commit eval ok $rv\n";
+print STDERR "DT commit eval ok ",Dumper($rv);
return $rv;
}
print STDERR "DT commit throw?\n";
@@ -464,7 +491,9 @@ sub _check_divert_core ($) {
my $cookh = defined $cooks ? $r->hash($cooks) : undef;
my ($cookt,$cooku) = $r->_identify($cookh, $cooks);
- my $parmt = $r->_identify($parmh, undef);
+ my $parms = (defined $cooks && defined $parmh && $parmh eq $cookh)
+ ? $cooks : undef;
+ my ($parmt) = $r->_identify($parmh, $parms);
print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n";
@@ -534,13 +563,13 @@ sub _check_divert_core ($) {
my $news = $r->_fresh_secret();
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
- Message => "You need to log in again.",
+ Message => "You need to log in.",
CookieSecret => $news,
Params => $r->_chain_params() });
} else {
$r->_db_revoke($parmh);
return ({ Kind => 'LOGIN-FRESH',
- Message => "You need to log in again.",
+ Message => "You need to log in.",
CookieSecret => $news,
Params => { } });
}
@@ -594,7 +623,9 @@ sub _identify ($$) {
# where $t is one of "t" "y" "n", or "" (for -)
# either $s must be undef, or $h eq $r->hash($s)
+print STDERR "_identify\n";
return '' unless defined $h && length $h;
+print STDERR "_identify h=$h s=".(defined $s ? $s : '')."\n";
my $dbh = $r->{Dbh};
@@ -606,6 +637,7 @@ sub _identify ($$) {
" FROM $r->{S}{assocdb_table}".
" WHERE assochash = ?", {}, $h);
if (defined $row) {
+print STDERR "_identify h=$h s=$s YES @$row\n";
my ($nusername, $nlast) = @$row;
return ('y', $nusername);
}
@@ -618,15 +650,20 @@ sub _identify ($$) {
my ($keyt, $signature, $message, $noncet, $nonce) =
$s =~ m/^(\d+)\.(\w+)\.((\d+)\.(\w+))$/ or die;
- return 'n' if time > $noncet + $r->{S}{form_timeout};
+ return 'n' if time > $noncet + $r->{S}{login_form_timeout};
+
+print STDERR "_identify noncet=$noncet ok\n";
my $keys = $r->_open_keys();
while (my ($rkeyt, $rkey, $line) = $r->_read_key($keys)) {
+print STDERR "_identify search rkeyt=$rkeyt rkey=$rkey\n";
last if $rkeyt < $keyt; # too far down in the file
my $trysignature = $r->_hmac($rkey, $message);
+print STDERR "_identify search rkeyt=$rkeyt rkey=$rkey trysig=$trysignature\n";
return 't' if $trysignature eq $signature;
}
# oh well
+print STDERR "_identify NO\n";
$keys->error and die $!;
return 'n';
@@ -647,7 +684,7 @@ sub _db_record_login_ok ($$$) {
$r->_db_revoke($h);
my $dbh = $r->{Dbh};
$dbh->do("INSERT INTO $r->{S}{assocdb_table}".
- " (associd, username, last) VALUES (?,?,?)", {},
+ " (assochash, username, last) VALUES (?,?,?)", {},
$h, $user, time);
}
@@ -678,6 +715,7 @@ sub get_username ($) {
sub url_with_query_params ($$) {
my ($r, $params) = @_;
+print STDERR "PARAMS ",Dumper($params);
my $uri = URI->new($r->_ch('get_url'));
$uri->query_form(flatten_params($params));
return $uri->as_string();
@@ -706,16 +744,16 @@ sub check_ok ($) {
my $cookie = $r->construct_cookie($cookiesecret);
if (defined $cookiesecret) {
- $params->{$r->{S}{assoc_param_name}} = $r->hash($cookiesecret);
+ $params->{$r->{S}{assoc_param_name}} = [ $r->hash($cookiesecret) ];
}
if ($kind =~ m/^REDIRECT-/) {
# for redirects, we honour stored NextParams and SetCookie,
# as we would for non-divert
if ($kind eq 'REDIRECT-LOGGEDOUT') {
- $params->{$r->{S}{loggedout_param_names}[0]} = 1;
+ $params->{$r->{S}{loggedout_param_names}[0]} = [ 1 ];
} elsif ($kind eq 'REDIRECT-LOGOUT') {
- $params->{$r->{S}{logout_param_names}[0]} = 1;
+ $params->{$r->{S}{logout_param_names}[0]} = [ 1 ];
} elsif ($kind eq 'REDIRECT-LOGGEDIN') {
} else {
die;
@@ -733,7 +771,11 @@ sub check_ok ($) {
} elsif ($kind =~ m/^SMALLPAGE-/) {
$title = $r->_gt('Not logged in');
push @body, $r->_gt($divert->{Message});
- push @body, $r->_ch('gen_login_link');
+ push @body, $r->_ch('gen_login_link', $params);
+ } elsif ($kind =~ m/^MAINPAGEONLY$/) {
+ $title = $r->_gt('Entering secure site.');
+ push @body, $r->_gt($divert->{Message});
+ push @body, $r->_ch('gen_postmainpage_form', $params);
} else {
die $kind;
}
@@ -873,7 +915,7 @@ print STDERR "hmac $alg $base $digest\n";
sub hash ($$) {
my ($r, $message) = @_;
my $alg = $r->{S}{hash_algorithm};
-print STDERR "hash $alg";
+print STDERR "hash $alg\n";
my $digest = new Digest $alg;
$digest->add($message);
return $digest->hexdigest();
@@ -884,12 +926,17 @@ sub _assert_checked ($) {
die "unchecked" unless exists $r->{Divert};
}
+sub _must_be_post ($) {
+ my ($r) = @_;
+ my $meth = $r->_ch('get_method');
+ die "mutating non-POST" if $meth ne 'POST';
+}
+
sub check_mutate ($) {
my ($r) = @_;
$r->_assert_checked();
die if $r->{Divert};
- my $meth = $r->_ch('get_method');
- die "mutating non-POST" if $meth ne 'POST';
+ $r->_must_be_post();
}
#---------- output ----------
@@ -903,7 +950,7 @@ sub secret_cookie_val ($) {
sub secret_hidden_val ($) {
my ($r) = @_;
$r->_assert_checked();
- return defined $r->{AssocSecret} ? r->hash($r->{AssocSecret}) : '';
+ return defined $r->{AssocSecret} ? $r->hash($r->{AssocSecret}) : '';
}
sub secret_hidden_html ($) {