1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
package Plack::Middleware::Auth::Htpasswd;
use strict;
use warnings;
use base 'Plack::Middleware';
use Plack::Util::Accessor qw(realm file file_root);
use Plack::Request;
use Authen::Htpasswd;
use MIME::Base64;
use Path::Class ();
# ABSTRACT: http basic authentication through apache-style .htpasswd files
=head1 SYNOPSIS
use Plack::Builder;
my $app = sub { ... };
builder {
enable "Auth::Htpasswd", file => '/path/to/.htpasswd';
$app;
};
or
builder {
enable "Auth::Htpasswd", file_root => '/path/to/my/static/files';
$app;
};
=head1 DESCRIPTION
This middleware enables HTTP Basic authenication, based on the users in an
L<Apache-style htpasswd file|http://httpd.apache.org/docs/2.0/programs/htpasswd.html>.
You can either specify the file directly, through the C<file> option, or use
the C<file_root> option to specify the root directory on the filesystem that
corresponds to the web application root. This second option is more useful when
using an app that is closely tied to the filesystem, such as
L<Plack::App::Directory>. If C<file_root> is used, the requested path will be
inspected, and a file named C<.htpasswd> will be checked in each containing
directory, up to the C<file_root>. The first one found will be used to validate
the requested user.
=head1 CONFIGURATION
=head2 file
Name of a .htpasswd file to read authentication information from. Required if
C<file_root> is not set.
=head2 file_root
Path to the on-disk directory that corresponds to the root URL path of the app.
Required C<file> is not set, and ignored if C<file> is set.
=head2 realm
Realm name to display in the basic authentication dialog. Defaults to
'restricted area'.
=cut
sub prepare_app {
my $self = shift;
die "must specify either file or file_root"
unless defined $self->file || $self->file_root;
}
sub call {
my($self, $env) = @_;
my $auth = $env->{HTTP_AUTHORIZATION};
return $self->unauthorized
unless $auth && $auth =~ /^Basic (.*)$/;
my $auth_string = $1;
my ($user, $pass) = split /:/, (
MIME::Base64::decode($auth_string . '==') || ":"
);
$pass = '' unless defined $pass;
if ($self->authenticate($env, $user, $pass)) {
$env->{REMOTE_USER} = $user;
return $self->app->($env);
}
else {
return $self->unauthorized;
}
}
sub _check_password {
my $self = shift;
my ($file, $user, $pass) = @_;
my $htpasswd = Authen::Htpasswd->new($file);
my $htpasswd_user = $htpasswd->lookup_user($user);
return unless $htpasswd_user;
return $htpasswd_user->check_password($pass);
}
sub authenticate {
my $self = shift;
my ($env, $user, $pass) = @_;
return $self->_check_password($self->file, $user, $pass)
if defined $self->file;
my $path = Plack::Request->new($env)->path;
my $dir = Path::Class::Dir->new($self->file_root);
my @htpasswd = $path ne '/'
? reverse
map { $_->file('.htpasswd')->stringify }
map { $dir = $dir->subdir($_) }
split m{/}, $path
: ($dir->file('.htpasswd')->stringify);
for my $htpasswd (@htpasswd) {
next unless -f $htpasswd && -r _;
return $self->_check_password($htpasswd, $user, $pass);
}
return;
}
sub unauthorized {
my $self = shift;
my $body = 'Authorization required';
return [
401,
[
'Content-Type' => 'text/plain',
'Content-Length' => length $body,
'WWW-Authenticate' => 'Basic realm="'
. ($self->realm || "restricted area")
. '"'
],
[ $body ],
];
}
=head1 SEE ALSO
L<Plack>
L<Plack::Middleware::Auth::Basic>
=head1 CREDITS
Large parts of this code were modeled after (read: stolen from)
L<Plack::Middleware::Auth::Basic> by Tatsuhiko Miyagawa.
=begin Pod::Coverage
unauthorized
authenticate
=end Pod::Coverage
=cut
1;
|
