summaryrefslogtreecommitdiff
path: root/lib/JWebmail
diff options
context:
space:
mode:
Diffstat (limited to 'lib/JWebmail')
-rw-r--r--lib/JWebmail/Controller/Webmail.pm15
-rw-r--r--lib/JWebmail/Model/ReadMails/MockJSON.pm7
-rw-r--r--lib/JWebmail/Model/ReadMails/Role.pm2
-rw-r--r--lib/JWebmail/Plugin/Helper.pm9
4 files changed, 22 insertions, 11 deletions
diff --git a/lib/JWebmail/Controller/Webmail.pm b/lib/JWebmail/Controller/Webmail.pm
index ee4a532..bdd7176 100644
--- a/lib/JWebmail/Controller/Webmail.pm
+++ b/lib/JWebmail/Controller/Webmail.pm
@@ -31,7 +31,7 @@ sub auth {
my $self = shift;
my $user = $self->session(S_USER);
- my $pw = $self->session_passwd;
+ my ($pw, $ch) = $self->session_passwd;
unless ($user && $pw) {
$self->flash(message => $self->l('no_session'));
@@ -40,9 +40,7 @@ sub auth {
return 0;
}
- my $authConf = {user => $user, password => $pw};
- $authConf->{challenge} = $self->app->secrets->[0] if $self->config->{session}{secure} eq 'cram';
- $self->stash(ST_AUTH() => $self->users->Auth($authConf));
+ $self->stash(ST_AUTH() => $self->users->Auth(user => $user, password => $pw, challenge => $ch));
return 1;
}
@@ -67,10 +65,16 @@ sub _time :prototype(&$$) {
sub login {
my $self = shift;
+ my $uses_cram = $self->config->{session}{secure} eq 'cram';
+
my $v = $self->validation;
my $user = $v->required('userid')->size(4, 50)->param;
my $passwd = $v->required('password')->size(4, 50)->like(qr/^.+$/)->param; # no new-lines
+ my $challenge;
+ if ($uses_cram) {
+ $challenge = $v->required('challenge')->size(4, 50)->param; # no new-lines
+ }
if ($v->has_error) {
$self->render(status => 400);
@@ -78,11 +82,12 @@ sub login {
}
my $auth = $self->users->Auth(user => $user, password => $passwd);
+ $auth->{challenge} = $challenge if $uses_cram;
my $valid = _time { $self->users->verify_user($auth) } $self, 'verify user';
if ($valid) {
$self->session(S_USER() => $user);
- $self->session_passwd($passwd);
+ $self->session_passwd($passwd, $challenge);
$self->res->code(303);
$self->redirect_to('displayheaders');
diff --git a/lib/JWebmail/Model/ReadMails/MockJSON.pm b/lib/JWebmail/Model/ReadMails/MockJSON.pm
index 7decb7d..345573c 100644
--- a/lib/JWebmail/Model/ReadMails/MockJSON.pm
+++ b/lib/JWebmail/Model/ReadMails/MockJSON.pm
@@ -6,8 +6,9 @@ use utf8;
use List::Util 'sum';
-use Mojo::JSON qw(decode_json);
+use Mojo::JSON 'decode_json';
+use Digest::HMAC_MD5 'hmac_md5_hex';
use Role::Tiny::With;
use namespace::clean;
@@ -51,6 +52,10 @@ sub verify_user {
my $self = shift;
my $auth = shift;
+ if ($auth->{challenge}) {
+ my $res = hmac_md5_hex($auth->{challenge}, VALID_PW);
+ return $auth->{user} eq VALID_USER && $auth->{password} eq $res;
+ }
return $auth->{user} eq VALID_USER && $auth->{password} eq VALID_PW;
}
diff --git a/lib/JWebmail/Model/ReadMails/Role.pm b/lib/JWebmail/Model/ReadMails/Role.pm
index d6472a1..466e3b0 100644
--- a/lib/JWebmail/Model/ReadMails/Role.pm
+++ b/lib/JWebmail/Model/ReadMails/Role.pm
@@ -20,7 +20,7 @@ sub Auth {
state $AuthCheck = {
user => {defined => 1, required => 1},
password => {defined => 1, required => 1},
- challenge => {defined => 1},
+ challenge => {},
};
my $self = @_ == 1 ? $_[0] : {@_};
diff --git a/lib/JWebmail/Plugin/Helper.pm b/lib/JWebmail/Plugin/Helper.pm
index cd72bfa..5edb4af 100644
--- a/lib/JWebmail/Plugin/Helper.pm
+++ b/lib/JWebmail/Plugin/Helper.pm
@@ -3,6 +3,7 @@ package JWebmail::Plugin::Helper;
use Mojo::Base Mojolicious::Plugin;
use List::Util qw(all min max);
+use Carp 'carp';
use POSIX qw(floor round log ceil);
use Mojo::Util qw(encode decode b64_encode b64_decode xml_escape);
@@ -156,7 +157,7 @@ sub _rand_data {
}
sub session_passwd {
- my ($c, $passwd) = @_;
+ my ($c, $passwd, $challenge) = @_;
my $secAlg = $c->config->{session}{secure};
die "you need to install Digest::HMAC_MD5 for cram to work"
@@ -165,7 +166,7 @@ sub session_passwd {
if (defined $passwd) { # set
if ($secAlg eq 'cram') {
- $c->session(S_PASSWD() => $passwd ? b64_encode(hmac_md5($passwd, $c->app->secrets->[0]), '') : '');
+ $c->session(S_PASSWD() => $passwd, challenge => $challenge);
}
elsif ($secAlg eq 's3d') {
unless ($passwd) {
@@ -187,8 +188,8 @@ sub session_passwd {
}
else { # get
if ($secAlg eq 'cram') {
- wantarray or warn "you forgot the challenge";
- return ($c->app->secrets->[0], $c->session(S_PASSWD));
+ wantarray or carp "you forgot the challenge";
+ return ($c->session('challenge'), $c->session(S_PASSWD));
}
elsif ($secAlg eq 's3d') {
my $pw = b64_decode($c->s3d(S_PASSWD) || '');