propper cram support (baring some details rng)

author: Jannis M. Hoffmann <jannis.hoffmann@rwth-aachen.de> 2022-05-05 14:41:10 +0200
committer: Jannis M. Hoffmann <jannis.hoffmann@rwth-aachen.de> 2022-05-05 14:41:10 +0200
commit: febfd792ce3a63314c980cc29440cf2f127953b4 (patch)
tree: 196b98d1ead81459869aa4675fd7a198b0d7822b /lib
parent: e740d60265adacfef6edb6b534ae31eedf9011da (diff)
4 files changed, 22 insertions, 11 deletions
diff --git a/lib/JWebmail/Controller/Webmail.pm b/lib/JWebmail/Controller/Webmail.pm
index ee4a532..bdd7176 100644
--- a/lib/JWebmail/Controller/Webmail.pm
+++ b/lib/JWebmail/Controller/Webmail.pm
@@ -31,7 +31,7 @@ sub auth {
     my $self = shift;
 
     my $user = $self->session(S_USER);
-    my $pw = $self->session_passwd;
+    my ($pw, $ch) = $self->session_passwd;
 
     unless ($user && $pw) {
         $self->flash(message => $self->l('no_session'));
@@ -40,9 +40,7 @@ sub auth {
         return 0;
     }
 
-    my $authConf = {user => $user, password => $pw};
-    $authConf->{challenge} = $self->app->secrets->[0] if $self->config->{session}{secure} eq 'cram';
-    $self->stash(ST_AUTH() => $self->users->Auth($authConf));
+    $self->stash(ST_AUTH() => $self->users->Auth(user => $user, password => $pw, challenge => $ch));
 
     return 1;
 }
@@ -67,10 +65,16 @@ sub _time :prototype(&$$) {
 sub login {
     my $self = shift;
 
+    my $uses_cram = $self->config->{session}{secure} eq 'cram';
+
     my $v = $self->validation;
     
     my $user = $v->required('userid')->size(4, 50)->param;
     my $passwd = $v->required('password')->size(4, 50)->like(qr/^.+$/)->param; # no new-lines
+    my $challenge;
+    if ($uses_cram) {
+        $challenge = $v->required('challenge')->size(4, 50)->param; # no new-lines
+    }
 
     if ($v->has_error) {
         $self->render(status => 400);
@@ -78,11 +82,12 @@ sub login {
     }
 
     my $auth = $self->users->Auth(user => $user, password => $passwd);
+    $auth->{challenge} = $challenge if $uses_cram;
     my $valid = _time { $self->users->verify_user($auth) } $self, 'verify user';
 
     if ($valid) {
         $self->session(S_USER() => $user);
-        $self->session_passwd($passwd);
+        $self->session_passwd($passwd, $challenge);
 
         $self->res->code(303);
         $self->redirect_to('displayheaders');
diff --git a/lib/JWebmail/Model/ReadMails/MockJSON.pm b/lib/JWebmail/Model/ReadMails/MockJSON.pm
index 7decb7d..345573c 100644
--- a/lib/JWebmail/Model/ReadMails/MockJSON.pm
+++ b/lib/JWebmail/Model/ReadMails/MockJSON.pm
@@ -6,8 +6,9 @@ use utf8;
 
 use List::Util 'sum';
 
-use Mojo::JSON qw(decode_json);
+use Mojo::JSON 'decode_json';
 
+use Digest::HMAC_MD5 'hmac_md5_hex';
 use Role::Tiny::With;
 
 use namespace::clean;
@@ -51,6 +52,10 @@ sub verify_user {
     my $self = shift;
     my $auth = shift;
 
+    if ($auth->{challenge}) {
+        my $res = hmac_md5_hex($auth->{challenge}, VALID_PW);
+        return $auth->{user} eq VALID_USER && $auth->{password} eq $res;
+    }
     return $auth->{user} eq VALID_USER && $auth->{password} eq VALID_PW;
 }
 
diff --git a/lib/JWebmail/Model/ReadMails/Role.pm b/lib/JWebmail/Model/ReadMails/Role.pm
index d6472a1..466e3b0 100644
--- a/lib/JWebmail/Model/ReadMails/Role.pm
+++ b/lib/JWebmail/Model/ReadMails/Role.pm
@@ -20,7 +20,7 @@ sub Auth {
     state $AuthCheck = {
         user =>      {defined => 1, required => 1},
         password =>  {defined => 1, required => 1},
-        challenge => {defined => 1},
+        challenge => {},
     };
     my $self = @_ == 1 ? $_[0] : {@_};
 
diff --git a/lib/JWebmail/Plugin/Helper.pm b/lib/JWebmail/Plugin/Helper.pm
index cd72bfa..5edb4af 100644
--- a/lib/JWebmail/Plugin/Helper.pm
+++ b/lib/JWebmail/Plugin/Helper.pm
@@ -3,6 +3,7 @@ package JWebmail::Plugin::Helper;
 use Mojo::Base Mojolicious::Plugin;
 
 use List::Util qw(all min max);
+use Carp 'carp';
 use POSIX qw(floor round log ceil);
 
 use Mojo::Util qw(encode decode b64_encode b64_decode xml_escape);
@@ -156,7 +157,7 @@ sub _rand_data {
 }
 
 sub session_passwd {
-    my ($c, $passwd) = @_;
+    my ($c, $passwd, $challenge) = @_;
     my $secAlg = $c->config->{session}{secure};
 
     die "you need to install Digest::HMAC_MD5 for cram to work"
@@ -165,7 +166,7 @@ sub session_passwd {
 
     if (defined $passwd) { # set
         if ($secAlg eq 'cram') {
-            $c->session(S_PASSWD() => $passwd ? b64_encode(hmac_md5($passwd, $c->app->secrets->[0]), '') : '');
+            $c->session(S_PASSWD() => $passwd, challenge => $challenge);
         }
         elsif ($secAlg eq 's3d') {
             unless ($passwd) {
@@ -187,8 +188,8 @@ sub session_passwd {
     }
     else { # get
         if ($secAlg eq 'cram') {
-            wantarray or warn "you forgot the challenge";
-            return ($c->app->secrets->[0], $c->session(S_PASSWD));
+            wantarray or carp "you forgot the challenge";
+            return ($c->session('challenge'), $c->session(S_PASSWD));
         }
         elsif ($secAlg eq 's3d') {
             my $pw = b64_decode($c->s3d(S_PASSWD) || '');
author	Jannis M. Hoffmann <jannis.hoffmann@rwth-aachen.de>	2022-05-05 14:41:10 +0200
committer	Jannis M. Hoffmann <jannis.hoffmann@rwth-aachen.de>	2022-05-05 14:41:10 +0200
commit	febfd792ce3a63314c980cc29440cf2f127953b4 (patch)
tree	196b98d1ead81459869aa4675fd7a198b0d7822b /lib
parent	e740d60265adacfef6edb6b534ae31eedf9011da (diff)