From 8be9bfceabd19dfb7474de5707ec9ccb9dcea2d9 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sat, 10 Nov 2012 17:40:36 +0000
Subject: [PATCH] wip

---
 cgi-auth-hybrid.pm | 79 +++++++++++++++++++++++++++++-----------------
 1 file changed, 50 insertions(+), 29 deletions(-)

diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm
index 953db15..3388b85 100644
--- a/cgi-auth-hybrid.pm
+++ b/cgi-auth-hybrid.pm
@@ -32,6 +32,16 @@ our @EXPORT_OK;
 use DBI;
 use CGI;
 
+#---------- default callbacks ----------
+
+sub _def_is_logout ($$) {
+    my ($c,$r) = @_;
+    foreach my $pn (@{ $r->{S}{logout_param_names} }) {
+	return 1 if $r->_cm('get_param')($pn);
+    }
+    return 0;
+}
+
 #---------- verifier object methods ----------
 
 sub new_verifier {
@@ -46,14 +56,17 @@ sub new_verifier {
 	    random_source => '/dev/urandom',
 	    associdlen => 128, # bits
 	    login_timeout => 86400, # seconds
-	    param_name => 'cah_associd',
+	    assoc_param_name => 'cah_associd',
+	    password_param_name => 'password',
+	    logout_param_names => [qw(logout)],
 	    promise_check_mutate => 0,
-	    cookie_name => 'cah_associd', # make undef to disable cookie
-	    get_param => sub { $_[0]->param($s->{S}{param_name}) },
-	    get_cookie => sub { $s->{S}{cookie_name}
-				? $_[0]->cookie($s->{S}{cookie_name})
-				: '' },
+	    get_param => sub { $_[0]->param($_[2]) },
+	    get_cookie => sub { $_[0]->cookie($s->{S}{cookie_name}) },
 	    get_method => sub { $_[0]->request_method() },
+            is_login => sub { defined $_[1]->_rp('password_param_name') },
+            login_ok => sub { die },
+	    is_logout => \&_def_is_logout,
+	    is_page => sub { return 1 },
 	},
 	Dbh => undef,
     };
@@ -86,9 +99,9 @@ sub _dbopen ($) {
 
     eval {
 	$dbh->do("CREATE TABLE $s->{S}{assocdb_table} (".
-		 " associd VARCHAR PRIMARY KEY,".
+		 " associdh VARCHAR PRIMARY KEY,".
                  " username VARCHAR,".
-		 " last INTEGER"
+		 " last INTEGER NOT NULL"
 		 ")");
     };
     return $dbh;
@@ -111,34 +124,21 @@ sub new_request {
     bless $r, ref $classbase;
 }
 
-sub _cm ($$@) {
+sub _ch ($$@) { # calls an application hook
     my ($r,$methname, @args) = @_;
     my $methfunc = $r->{S}{$methname};
     return $methfunc->($r->{Cgi}, $r, @args);
 }
 
-sub record_login ($$) {
-    my ($r,$nusername) = @_;
-    my $rsp = $r->{S}{random_source};
-    my $rsf = new IO::File $rsp, '<' or die "$rsp $!";
-    my $bytes = ($r->{S}{associdlen} + 7) >> 3;
-    my $nassocbin;
-    $!=0;
-    read($rsf,$nassocbin,$bytes) == $bytes or die "$rsp $!";
-    close $rsf;
-    my $nassoc = unpack "H*", $nassocbin;
-    my $dbh = $r->{Dbh};
-    $dbh->do("INSERT INTO $r->{S}{assocdb_table}".
-	     " (associd, username, last) VALUES (?,?,?)", {},
-	     $nassoc, $nusername, time);
-    $dbh->do("COMMIT");
-    $r->{U} = $nusername;
-    $r->{A} = $nassoc;
+sub _rp ($$@) {
+    my ($r,$pnvb) = @_;
+    my $pn = $r->{S}{"${pnvb}_param_name"};
+    my $p = $r->_ch('get_param',$pn)
 }
 
 sub _check_core ($) {
     my ($r) = @_;
-    my $qassoc = $r->_cm('get_param');
+    my $qassoc = $r->_ch('get_param');
     my ($nassoc,$nmutate);
     if (!defined $r->{S}{cookie_name}) {
 	# authentication is by hidden form parameter only
@@ -149,18 +149,39 @@ sub _check_core ($) {
 	# authentication is by cookie
 	# the cookie suffices for read-only GET requests
 	# for mutating and non-GET requests we require hidden param too
-	my $cassoc = $r->_cm('get_cookie');
+	my $cassoc = $r->_ch('get_cookie');
 	return undef unless defined $cassoc;
 	$nassoc = $cassoc;
 	if (defined $qassoc && $qassoc eq $cassoc) {
 	    $nmutate = 1;
 	} else {
 	    return undef unless $r->{S}{promise_check_mutate};
-	    return undef unless $r->_cm('get_method') eq 'GET';
+	    return undef unless $r->_ch('get_method') eq 'GET';
 	    $nmutate = 0;
 	}
     }
 
+UP TO HERE
+
+sub record_login ($$) {
+    my ($r,$nusername) = @_;
+    my $rsp = $r->{S}{random_source};
+    my $rsf = new IO::File $rsp, '<' or die "$rsp $!";
+    my $bytes = ($r->{S}{associdlen} + 7) >> 3;
+    my $nassocbin;
+    $!=0;
+    read($rsf,$nassocbin,$bytes) == $bytes or die "$rsp $!";
+    close $rsf;
+    my $nassoc = unpack "H*", $nassocbin;
+    my $dbh = $r->{Dbh};
+    $dbh->do("INSERT INTO $r->{S}{assocdb_table}".
+	     " (associd, username, last) VALUES (?,?,?)", {},
+	     $nassoc, $nusername, time);
+    $dbh->do("COMMIT");
+    $r->{U} = $nusername;
+    $r->{A} = $nassoc;
+}
+
 # pages/param-sets are
 #   n normal non-mutating page
 #   r retrieval of information for JS, non-mutating
-- 
2.30.2