Mailing List Archive: Catalyst: Users

Using Progressive realms when username and password fields are all different

Index | Next | Previous | View Threaded

gavin.henry at gmail

Jun 28, 2012, 1:09 PM

Post #1 of 10 (387 views)
Permalink

Using Progressive realms when username and password fields are all different

Hi all,

I have three realms; customers, resellers and admins. Each auth table
in these realms is not consistent and uses different username_filed
and password_field names. I can't change this.

Now the normal way is to do:

if (
$c->authenticate(
{
username => $username,
password => $password
},
'progressive_test'
)
)
{

This fails as no realms have username and password as the actual
column names. I wanted DWIM here so when I pass in username the auth
framework actually uses what I've set in my config using
username_field and password_field like so:

<customers>
<credential>
class Password
password_type clear
username_field useralias
password_field uipass
</credential>
<store>
class DBIx::Class
user_model CustomerDB::Account
</store>
</customers>

Ideas?

--
http://www.suretecsystems.com/services/openldap/
http://www.surevoip.co.uk/api

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

tja824 at gmail

Jun 28, 2012, 1:50 PM

Post #2 of 10 (374 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

Gavin,

Assuming you are using the Authentication plugin, you can define multiple
realm objects, each of which allows you to specify the columns to be used
for username and password. The documentation is pretty good on this one,
and it's working well for me.

http://search.cpan.org/~bobtfish/Catalyst-Plugin-Authentication-0.10020/lib/Catalyst/Plugin/Authentication.pm#CONFIGURATION

Does that help?

-Tim

On Thu, Jun 28, 2012 at 3:09 PM, Gavin Henry <gavin.henry [at] gmail> wrote:

> Hi all,
>
> I have three realms; customers, resellers and admins. Each auth table
> in these realms is not consistent and uses different username_filed
> and password_field names. I can't change this.
>
> Now the normal way is to do:
>
> if (
> $c->authenticate(
> {
> username => $username,
> password => $password
> },
> 'progressive_test'
> )
> )
> {
>
> This fails as no realms have username and password as the actual
> column names. I wanted DWIM here so when I pass in username the auth
> framework actually uses what I've set in my config using
> username_field and password_field like so:
>
> <customers>
> <credential>
> class Password
> password_type clear
> username_field useralias
> password_field uipass
> </credential>
> <store>
> class DBIx::Class
> user_model CustomerDB::Account
> </store>
> </customers>
>
> Ideas?
>
> --
> http://www.suretecsystems.com/services/openldap/
> http://www.surevoip.co.uk/api
>
> _______________________________________________
> List: Catalyst [at] lists
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst [at] lists/
> Dev site: http://dev.catalyst.perl.org/
>

gavin.henry at gmail

Jun 28, 2012, 2:51 PM

Post #3 of 10 (379 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

On 28 June 2012 21:50, Tim Anderson <tja824 [at] gmail> wrote:
> Gavin,
>
> Assuming you are using the Authentication plugin, you can define multiple
> realm objects, each of which allows you to specify the columns to be used
> for username and password. The documentation is pretty good on this one,
> and it's working well for me.
>
> http://search.cpan.org/~bobtfish/Catalyst-Plugin-Authentication-0.10020/lib/Catalyst/Plugin/Authentication.pm#CONFIGURATION
>
> Does that help?

Hi Tim,

That's what I already have. I have 3 realms defined and then a
Progressive realm listing them:

<progressive_oauth>
class Progressive
realms customers_oauth
realms partners_oauth
realms admins_oauth
<authinfo_munge>
<customers_oauth>
type customer
</customers_oauth>
<partners_oauth>
type partner
</partners_oauth>
<admins_oauth>
type admin
</admins_oauth>
</authinfo_munge>
</progressive_oauth>
<customers_oauth>
<credential>
class Password
password_type clear
username_field useralias
password_field uipass
</credential>
<store>
class DBIx::Class
user_model A2BillingDB::CcCard
</store>
</customers_oauth>
<partners_oauth>
<credential>
class Password
password_type clear
username_field login
password_field passwd
</credential>
<store>
class DBIx::Class
user_model A2BillingDB::CcAgent
</store>
</partners_oauth>
<admins_oauth>
<credential>
class Password
password_type hashed
password_hash_type Whirlpool
username_field login
password_field pwd_encoded
</credential>
<store>
class DBIx::Class
user_model A2BillingDB::CcUiAuthen
</store>
</admins_oauth>

So I do:

# Get the username and password from form
my $username = $c->request->params->{username};
my $password = $c->request->params->{password};
my $signin = $c->request->params->{signin};

if ($signin) {

# If the username and password values were found in form
if ( $username && $password ) {

# Attempt to log the user in
if (
$c->authenticate(
{
username => $username,
password => $password
},
'progressive_oauth'
)
)
{

I would expect me passing in username and password like above to then
map that to the config that defines username_field and password_field
but instead I get:

Thu Jun 28 22:50:22 2012] [error] Failed to load user data. You
passed [password,realm,type,username] to authenticate() but your user
source (A2BillingDB::CcAgent) only has these columns:
[id,datecreation,active,login,passwd,location,language,id_tariffgroup,options,credit,currency,locale,commission,vat,banner,perms,lastname,firstname,address,city,state,country,zipcode,phone,email,fax,company,com_balance,threshold_remittance,bank_info]
Check your authenticate() call.

Thanks.

--
http://www.suretecsystems.com/services/openldap/
http://www.surevoip.co.uk

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

tja824 at gmail

Jun 28, 2012, 3:08 PM

Post #4 of 10 (378 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

That keys in the hash reference you are passing to the authenticate
function should match the keys in your CcAgent model, plus the password
field you defined in your config... something like this:

# Attempt to log the user in

if (
$c->authenticate(
{
login => $username,
passwd => $password
},
'progressive_oauth'
)
)
{

-Tim

...snip...

gavin.henry at gmail

Jun 28, 2012, 3:12 PM

Post #5 of 10 (378 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

On 28 June 2012 23:08, Tim Anderson <tja824 [at] gmail> wrote:
> That keys in the hash reference you are passing to the authenticate function
> should match the keys in your CcAgent model, plus the password field you
> defined in your config... something like this:
>
> # Attempt to log the user in
>
> if (
> $c->authenticate(
> {
> login => $username,
> passwd => $password
> },
> 'progressive_oauth'
> )
> )
> {
>

Thanks Tim. Yes, I know that but then the other two realms will fail
and that's the point of progressive. I want to call one ->authenticate
which tries all the realms I've defined in progressive_oauth.

Gavin.

--
http://www.suretecsystems.com/services/openldap/
http://www.surevoip.co.uk

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

billcrawford1970 at gmail

Jun 29, 2012, 2:59 AM

Post #6 of 10 (369 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

On 28 June 2012 23:12, Gavin Henry <gavin.henry [at] gmail> wrote:
...
> Thanks Tim. Yes, I know that but then the other two realms will fail
> and that's the point of progressive. I want to call one ->authenticate
> which tries all the realms I've defined in progressive_oauth.

Regrettably, the docs for the Password realm saith:

NOTE If the password_field is something other than 'password', you
must be sure to use that same field name when calling
$c->authenticate().

I'd call that a bug, personally - it certainly isn't intuitive that
you can specify the field to use, but then have to remember it in all
your calls to authenticate().

Not much can be done about that, though. Maybe someone can produce an adaptor?

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

dhoworth at mrc-lmb

Jun 29, 2012, 3:34 AM

Post #7 of 10 (374 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

Will Crawford wrote:
> On 28 June 2012 23:12, Gavin Henry <gavin.henry [at] gmail> wrote:
> ...
>> Thanks Tim. Yes, I know that but then the other two realms will fail
>> and that's the point of progressive. I want to call one ->authenticate
>> which tries all the realms I've defined in progressive_oauth.
>
> Regrettably, the docs for the Password realm saith:
>
> NOTE If the password_field is something other than 'password', you
> must be sure to use that same field name when calling
> $c->authenticate().
>
> I'd call that a bug, personally - it certainly isn't intuitive that
> you can specify the field to use, but then have to remember it in all
> your calls to authenticate().
>
> Not much can be done about that, though. Maybe someone can produce an adaptor?

Does something like this fix the problem?

--- Password.pm 2012-06-29 11:23:51.000000000 +0100
+++ Password-new.pm 2012-06-29 11:33:40.000000000 +0100
@@ -34,6 +34,14 @@
sub authenticate {
my ( $self, $c, $realm, $authinfo ) = @_;

+ my $password_field = $self->_config->{'password_field'};
+ if ($password_field ne 'password'
+ and defined $authinfo->{password}) {
+ $authinfo = {%{$authinfo}};
+ $authinfo->{$password_field} = $authinfo->{password};
+ delete $authinfo->{password};
+ }
+
## because passwords may be in a hashed format, we have to make
sure that we remove the
## password_field before we pass it to the user routine, as some
auth modules use
## all data passed to them to find a matching user...

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

gavin.henry at gmail

Jun 29, 2012, 1:18 PM

Post #8 of 10 (367 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

> Does something like this fix the problem?
>
> --- Password.pm 2012-06-29 11:23:51.000000000 +0100
> +++ Password-new.pm 2012-06-29 11:33:40.000000000 +0100
> @@ -34,6 +34,14 @@
> sub authenticate {
> my ( $self, $c, $realm, $authinfo ) = @_;
>
> + my $password_field = $self->_config->{'password_field'};
> + if ($password_field ne 'password'
> + and defined $authinfo->{password}) {
> + $authinfo = {%{$authinfo}};
> + $authinfo->{$password_field} = $authinfo->{password};
> + delete $authinfo->{password};
> + }
> +
> ## because passwords may be in a hashed format, we have to make
> sure that we remove the
> ## password_field before we pass it to the user routine, as some
> auth modules use
> ## all data passed to them to find a matching user...

I've raised:

https://rt.cpan.org/Ticket/Display.html?id=78115

The main problem is that and the fact that username_field is missing.

I'd like to do ->authenticate( { username => $blah, password => $blah2 })

if username_field and/or password_field is in the config, map those to
above values, if not
just use the default. Otherwise there's no way you can use a
Progressive realm with
non-consistent user/pass field names in your DB. I could add a
view....but it's not my
DB.

Silly or sane?

--
http://www.suretecsystems.com/services/openldap/
http://www.surevoip.co.uk

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

bobtfish at bobtfish

Jun 30, 2012, 4:04 AM

Post #9 of 10 (374 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

On 29 Jun 2012, at 10:59, Will Crawford wrote:

> On 28 June 2012 23:12, Gavin Henry <gavin.henry [at] gmail> wrote:
> ...
>> Thanks Tim. Yes, I know that but then the other two realms will fail
>> and that's the point of progressive. I want to call one ->authenticate
>> which tries all the realms I've defined in progressive_oauth.
>
> Regrettably, the docs for the Password realm saith:
>
> NOTE If the password_field is something other than 'password', you
> must be sure to use that same field name when calling
> $c->authenticate().
>
> I'd call that a bug, personally - it certainly isn't intuitive that
> you can specify the field to use, but then have to remember it in all
> your calls to authenticate().
>
> Not much can be done about that, though. Maybe someone can produce an adaptor?

I don't disagree that it's confusing, however it _is_ intentional, as you can pass an arbitrary hash of data into $c->authenticate for the auth info (allowing you to do lookups on the values of multiple fields).

What happens is that the configured 'password_field' is _removed_ by the Password credential when it calls the 'find_user' method, and then the remaining fields are passed to the store to lookup a user with - this allows you to say $c->authenticate({username => $u, password => $p, is_admin => 1});

For example.

Patches to improve the documentation would be welcome, of course! :)

Cheers
t0m

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

bobtfish at bobtfish

Jun 30, 2012, 4:09 AM

Post #10 of 10 (368 views)
Permalink

Re: Using Progressive realms when username and password fields are all different [In reply to]

On 29 Jun 2012, at 21:18, Gavin Henry wrote:
> The main problem is that and the fact that username_field is missing.
>
> I'd like to do ->authenticate( { username => $blah, password => $blah2 })
>
> if username_field and/or password_field is in the config, map those to
> above values, if not
> just use the default. Otherwise there's no way you can use a
> Progressive realm with
> non-consistent user/pass field names in your DB. I could add a
> view....but it's not my
> DB.
>
> Silly or sane?

What you want / need is to be able to re-map the auth-info in some way before (or at the time of) the call to $realm->find_user

I'd suggest that C::Authentication::Realm be patched to support a 'authinfo_mangle' config key, which would look something like this:

{
add => {
some_key => 'some_value',
},
remove => [qw/ some_other_key /],
rename => {
from_field_name => 'to_field_name',
}
}

This would allow you to add/remove/rename arbitrary fields that were passed into $c->authenticate({}); - this would solve the issue in a generic way, right?

Cheers
t0m

_______________________________________________
List: Catalyst [at] lists
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst [at] lists/
Dev site: http://dev.catalyst.perl.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads