diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/JWebmail/Controller/Webmail.pm | 15 | ||||
-rw-r--r-- | lib/JWebmail/Model/ReadMails/MockJSON.pm | 7 | ||||
-rw-r--r-- | lib/JWebmail/Model/ReadMails/Role.pm | 2 | ||||
-rw-r--r-- | lib/JWebmail/Plugin/Helper.pm | 9 |
4 files changed, 22 insertions, 11 deletions
diff --git a/lib/JWebmail/Controller/Webmail.pm b/lib/JWebmail/Controller/Webmail.pm index ee4a532..bdd7176 100644 --- a/lib/JWebmail/Controller/Webmail.pm +++ b/lib/JWebmail/Controller/Webmail.pm @@ -31,7 +31,7 @@ sub auth { my $self = shift; my $user = $self->session(S_USER); - my $pw = $self->session_passwd; + my ($pw, $ch) = $self->session_passwd; unless ($user && $pw) { $self->flash(message => $self->l('no_session')); @@ -40,9 +40,7 @@ sub auth { return 0; } - my $authConf = {user => $user, password => $pw}; - $authConf->{challenge} = $self->app->secrets->[0] if $self->config->{session}{secure} eq 'cram'; - $self->stash(ST_AUTH() => $self->users->Auth($authConf)); + $self->stash(ST_AUTH() => $self->users->Auth(user => $user, password => $pw, challenge => $ch)); return 1; } @@ -67,10 +65,16 @@ sub _time :prototype(&$$) { sub login { my $self = shift; + my $uses_cram = $self->config->{session}{secure} eq 'cram'; + my $v = $self->validation; my $user = $v->required('userid')->size(4, 50)->param; my $passwd = $v->required('password')->size(4, 50)->like(qr/^.+$/)->param; # no new-lines + my $challenge; + if ($uses_cram) { + $challenge = $v->required('challenge')->size(4, 50)->param; # no new-lines + } if ($v->has_error) { $self->render(status => 400); @@ -78,11 +82,12 @@ sub login { } my $auth = $self->users->Auth(user => $user, password => $passwd); + $auth->{challenge} = $challenge if $uses_cram; my $valid = _time { $self->users->verify_user($auth) } $self, 'verify user'; if ($valid) { $self->session(S_USER() => $user); - $self->session_passwd($passwd); + $self->session_passwd($passwd, $challenge); $self->res->code(303); $self->redirect_to('displayheaders'); diff --git a/lib/JWebmail/Model/ReadMails/MockJSON.pm b/lib/JWebmail/Model/ReadMails/MockJSON.pm index 7decb7d..345573c 100644 --- a/lib/JWebmail/Model/ReadMails/MockJSON.pm +++ b/lib/JWebmail/Model/ReadMails/MockJSON.pm @@ -6,8 +6,9 @@ use utf8; use List::Util 'sum'; -use Mojo::JSON qw(decode_json); +use Mojo::JSON 'decode_json'; +use Digest::HMAC_MD5 'hmac_md5_hex'; use Role::Tiny::With; use namespace::clean; @@ -51,6 +52,10 @@ sub verify_user { my $self = shift; my $auth = shift; + if ($auth->{challenge}) { + my $res = hmac_md5_hex($auth->{challenge}, VALID_PW); + return $auth->{user} eq VALID_USER && $auth->{password} eq $res; + } return $auth->{user} eq VALID_USER && $auth->{password} eq VALID_PW; } diff --git a/lib/JWebmail/Model/ReadMails/Role.pm b/lib/JWebmail/Model/ReadMails/Role.pm index d6472a1..466e3b0 100644 --- a/lib/JWebmail/Model/ReadMails/Role.pm +++ b/lib/JWebmail/Model/ReadMails/Role.pm @@ -20,7 +20,7 @@ sub Auth { state $AuthCheck = { user => {defined => 1, required => 1}, password => {defined => 1, required => 1}, - challenge => {defined => 1}, + challenge => {}, }; my $self = @_ == 1 ? $_[0] : {@_}; diff --git a/lib/JWebmail/Plugin/Helper.pm b/lib/JWebmail/Plugin/Helper.pm index cd72bfa..5edb4af 100644 --- a/lib/JWebmail/Plugin/Helper.pm +++ b/lib/JWebmail/Plugin/Helper.pm @@ -3,6 +3,7 @@ package JWebmail::Plugin::Helper; use Mojo::Base Mojolicious::Plugin; use List::Util qw(all min max); +use Carp 'carp'; use POSIX qw(floor round log ceil); use Mojo::Util qw(encode decode b64_encode b64_decode xml_escape); @@ -156,7 +157,7 @@ sub _rand_data { } sub session_passwd { - my ($c, $passwd) = @_; + my ($c, $passwd, $challenge) = @_; my $secAlg = $c->config->{session}{secure}; die "you need to install Digest::HMAC_MD5 for cram to work" @@ -165,7 +166,7 @@ sub session_passwd { if (defined $passwd) { # set if ($secAlg eq 'cram') { - $c->session(S_PASSWD() => $passwd ? b64_encode(hmac_md5($passwd, $c->app->secrets->[0]), '') : ''); + $c->session(S_PASSWD() => $passwd, challenge => $challenge); } elsif ($secAlg eq 's3d') { unless ($passwd) { @@ -187,8 +188,8 @@ sub session_passwd { } else { # get if ($secAlg eq 'cram') { - wantarray or warn "you forgot the challenge"; - return ($c->app->secrets->[0], $c->session(S_PASSWD)); + wantarray or carp "you forgot the challenge"; + return ($c->session('challenge'), $c->session(S_PASSWD)); } elsif ($secAlg eq 's3d') { my $pw = b64_decode($c->s3d(S_PASSWD) || ''); |