View of /trunk/webwork-modperl/lib/WeBWorK/Authen.pm

    1 package WeBWorK::Authen;
    2 
    3 use WeBWorK::DB::Auth;
    4 
    5 sub new($$$) {
    6   my $invocant = shift;
    7   my $class = ref($invocant) || $invocant;
    8   my $self = {};
    9   ($self->{r}, $self->{courseEnvironment}) = @_;
   10   bless $self, $class;
   11   return $self;
   12 }
   13 
   14 sub generate_key {
   15   # Package constants.  These should never be changed in other places ever
   16   my $key_length = 40;      # number of chars in each key
   17   my @key_chars = ('A'..'Z', 'a'..'z', '0'..'9', '.', '^', '/', '!', '*');
   18 
   19   my $i = $key_length;
   20   my $key = '';
   21   srand;
   22   while($i) {
   23     $key .= $key_chars[rand(@key_chars)];
   24     $i--;
   25   }
   26   return $key;
   27 }
   28 
   29 # verify will return 1 if the person is who they say the are.
   30 # If the verification failed because of of invalid authentication data,
   31 # a note will be written in the request explaining why it failed.
   32 # If the request failed because no authentication data was provided, however,
   33 # no note will be written, as this is expected to happen whenever someone
   34 # types in a URL manually, and is not considered an error condition.
   35 sub verify($) {
   36   my $self = shift;
   37   my $r = $self->{r};
   38   my $course_env = $self->{courseEnvironment};
   39 
   40   my $user = $r->param('user');
   41   my $passwd = $r->param('passwd');
   42   my $key = $r->param('key');
   43   my $time = time;
   44 
   45   # I wanted to get rid of that passwd up here for security reasons,
   46   # but usability dictates that we not clear out invalid passwords.
   47   #$r->param('passwd',undef);
   48 
   49   my $return, $error;
   50 
   51   my $auth = WeBWorK::DB::Auth->new($course_env);
   52 
   53   # The first part of this big conditional checks to make that we have
   54   # all of the form info that we need. It's pretty boring.  The kooky
   55   # authen stuff comes after that.
   56   if (!defined $user && !defined $passwd && !defined $key) {
   57     # The user hasn't even had a chance to say who he is, so we
   58     # can't hold it against him that we don't know.
   59     undef $error;
   60     $return = 0;
   61   } elsif (!$user) {
   62     $error = "You must specify a username";
   63     $return = 0;
   64   } elsif (!$passwd && !$key) {
   65     $error = "You must enter a password";
   66     $return = 0;
   67   }
   68   # OK, we're done with the trivia.  Now lets authenticate.
   69   # This is the part that will get rewritten after Sam finishes
   70   # his work on the database stuff.
   71   elsif ($passwd) {
   72     if ($auth->verifyPassword($user, $passwd)) {
   73       # Remove the passwd field from subsequent requests.
   74       $r->param('passwd',undef);
   75       $key = generate_key;
   76       $auth->setKey($user, $key, time);
   77       $r->param('key',$key);
   78       $return = 1;
   79     } else {
   80       $error = "Incorrect username or password";
   81       $return = 0;
   82     }
   83   } elsif ($key) {
   84     # The timestamp gets updated by verifyKey with the time passed in
   85     if ($auth->verifyKey($user, $key, time)) {
   86       $return = 1;
   87     } else {
   88       $error = "Your session has expired.  You must login again";
   89       $return = 0;
   90     }
   91   } else {
   92     $error = "Unexpected authentication error!";
   93     $return = 0;
   94   }
   95 
   96 
   97   $r->notes("authen_error",$error);
   98   return $return;
   99 
  100   # Whatever you do, don't delete this!
  101   critical($r);
  102 }
  103 
  104 1;