From: Ian Jackson Date: Wed, 20 Mar 2013 18:29:33 +0000 (+0000) Subject: docs: more work X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=commitdiff_plain;h=1a701618a0a38468ed193dd5fbb0f275994bb1f4;ds=sidebyside docs: more work --- diff --git a/caf.pod b/caf.pod index ef64982..ba5300c 100644 --- a/caf.pod +++ b/caf.pod @@ -68,7 +68,13 @@ honour the return value. =item * If you're using C, implement either the -C or C hook. +C or C hook and provide it as +a setting to C. + +=item * + +Provide the setting C (or provide absolute paths for all the +other relevant settings). =item * @@ -111,6 +117,8 @@ The resulting verifier object can be used to process individual requests, in each case with C<< $authreq = CGI::Auth::Flexible->new_request($cgi_query) >>. +See L. + =head2 CHECKING AND RESPONSE GENERATION If the user is logged in, your application is to handle the request. @@ -503,6 +511,180 @@ digits. =back +=head1 SETTINGS + +C and C each take a list of settings, as +a list of pairs C<< key => value >> (like a Perl hash assignment). + +The settings supplied to C are stored in the verifier +and will apply to all authreqs made from it unless overridden in the +call to C + +=over + +=head2 GENERAL SETTINGS + +=item C + +The directory CGI::Auth::Generic should use for its data storage. +This is actually just a default absolute path used when the other +path settings are relative values. + +Must be an absolute filename. + +=item C + +CGI::Auth::Flexible needs a database for recording users' login +session. This database needs to be shared across all instances of the +web application, so in a multi-node cluster it needs to be your actual +database. + +CGI::Auth::Flexible will create the table and index it needs if they +don't already exist, and will manage their contents. You do not need +to integrate them into the rest of your webapp's data storage. (In +particular, there is no need for transactional integrity across +changes made by CAF and your own application.) + +By default, CAF uses a sqlite3 database stored on local disk in the +file named by C. This will be suitable for all +applications which run on a single host. + +This value, if supplied, should be a DBI handle for the database. + +=item C + +This is the DSN to pass to C<< DBI->connect >>. Used only if +C is not supplied. + +=item C + +Path to the sqlite3 database used for CAF's session storage. The +default is currently C but will change in the future. + +Used only if neither C or C are supplied. + +If this is a relative path, it is in C. + +=item C + +Prefix for the SQL tables and indices to use (and to create, if +necessary). + +See L. + +=item C + +Path to the keys file used by CAF. This arrangement will change in +the future. See L. + +=item C + +Special file to read random numbers from. Should return +cryptographically secure (pseudo)-random bytes, unpredictable to +adversaries (even ones on the same machine). + +On Linux, there is no device which is properly suitable. This is a +bug in Linux. You can use C which can block +unnecessarily even though the kernel PRNG has been properly seeded and +is fine, or C which might return values which attackers +can predict if the kernel PRNG has not been properly seeded. + +The default is C. + +=item C + +Length of the assoc secret. Defaults to 128. + +=item C + +Must be a string suitable for use with C. +Defaults to C. + +=item C + +A user will be logged out this many seconds after they first logged +in. Default: 86400 (one day). + +=item C + +A login form becomes invalid this many seconds after it has been sent. +Default: 3600 seconds (one hour). + +=item C + +The key used for generating assoc secrets is rolled over approximately +this often (in seconds). Default: 86400. + +=item C + +Name of the hidden form parameter. Default: C. + +=item C + +Some of CAF's HTML-generating functions need to invent form parameter +names. They will all start with this string. Default: C. + +=item C + +Name of the cookie used for login sessions. Default: +C. + +=item C + +Name of the password field in the login form. Default: C. + +Used by C (the default C hook), +C and the default C hook. + +=item C + +Form parameter name used to indicate that this is a source download +request. If this parameter is supplied, C and +C will arrange for the applicaton source code to be +delivered as the response (in C's case by doing it itself +and in C's case by asking your application to do so. + +Default is C. + +=item C + +Arrayref of name(s) of username form parameters. + +The first entry is used by C (the default +C hook) to pass to the C hook and +used as the username if all is well. + +All the entries are used by C (the default +C hook for C) to generate form entry fields. + +The default is C<['username']>. + +=back + +=head2 SETTINGS FOR SOURCE CODE DOWNLOAD FACILITY + +=over + +=item C + +Path to the directory used for storing pre-prepared source downloads. +Defaults to C. + +If this is a relative path, it is in C. + +=back + + + +=head1 DATABASE TABLES + +In a simple application, you do not need to worry about this. But if +your application runs on multiple frontend hosts with a shared +database, you may need to create for yourself the tables and indices +used by CGI::Auth::Flexible. + +xxx document _db_setup_do +xxx make _db_setup_do explicitly overrideable xxx divert spec @@ -510,3 +692,10 @@ xxx reqtype xxx settings xxx html generators xxx document cookie + +xxx bugs wrong default random on Linux +xxx bugs wrong default random on *BSD +xxx bugs keys not shared should be in db +xxx rename caf-assocs.db +xxx rename caf_assocsecret default cookie name +xxx mention relationship between login_timeout and cookies