From: Moritz Bunkus Date: Fri, 15 Mar 2019 11:30:30 +0000 (+0100) Subject: Authentifizierung: Unterstützung für HTTP Basic Authentication RFC 7617 X-Git-Tag: release-3.5.4~88^2~5 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=4543999aeca36e07555a0fa508cf9d0580e34c70;p=kivitendo-erp.git Authentifizierung: Unterstützung für HTTP Basic Authentication RFC 7617 --- diff --git a/SL/Auth.pm b/SL/Auth.pm index 82be3b8d8..63412e0be 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -94,6 +94,18 @@ sub set_client { return $self->client; } +sub get_default_client_id { + my ($self) = @_; + + my $dbh = $self->dbconnect; + + return unless $dbh; + + my $row = $dbh->selectrow_hashref(qq|SELECT id FROM auth.clients WHERE is_default = TRUE LIMIT 1|); + + return $row->{id} if $row; +} + sub DESTROY { my $self = shift; diff --git a/SL/Dispatcher/AuthHandler/User.pm b/SL/Dispatcher/AuthHandler/User.pm index ba5071a1d..182d65442 100644 --- a/SL/Dispatcher/AuthHandler/User.pm +++ b/SL/Dispatcher/AuthHandler/User.pm @@ -3,15 +3,22 @@ package SL::Dispatcher::AuthHandler::User; use strict; use parent qw(Rose::Object); +use Encode (); +use MIME::Base64 (); + use SL::Layout::Dispatcher; sub handle { my ($self, %param) = @_; - my $login = $::form->{'{AUTH}login'} || $::auth->get_session_value('login'); + my ($http_auth_login, $http_auth_password) = $self->_parse_http_basic_auth; + + my $login = $::form->{'{AUTH}login'} // $http_auth_login // $::auth->get_session_value('login'); + return $self->_error(%param) if !defined $login; - my $client_id = $::form->{'{AUTH}client_id'} || $::auth->get_session_value('client_id'); + my $client_id = $::form->{'{AUTH}client_id'} // $::auth->get_session_value('client_id') // $::auth->get_default_client_id; + return $self->_error(%param) if !$client_id || !$::auth->set_client($client_id); %::myconfig = User->get_default_myconfig($::auth->read_user(login => $login)); @@ -22,8 +29,9 @@ sub handle { $::request->{layout} = SL::Layout::Dispatcher->new(style => $::myconfig{menustyle}); my $ok = $::auth->is_api_token_cookie_valid; - $ok ||= $::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, $::form->{'{AUTH}password'})); - $ok ||= !$::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, undef)); + $ok ||= $::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, $::form->{'{AUTH}password'})); + $ok ||= !$::form->{'{AUTH}login'} && $http_auth_login && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, $http_auth_password)); + $ok ||= !$::form->{'{AUTH}login'} && !$http_auth_login && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, undef)); return $self->_error(%param) if !$ok; @@ -44,4 +52,26 @@ sub _error { return 0; } +sub _parse_http_basic_auth { + my ($self) = @_; + + # See RFC 7617. + + # Requires that the server passes the 'Authorization' header as the + # environment variable 'HTTP_AUTHORIZATION'. Example code for + # Apache: + + # SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + + my $data = $ENV{HTTP_AUTHORIZATION}; + + return unless ($data // '') =~ m{^basic +(.+)}i; + + $data = Encode::decode('utf-8', MIME::Base64::decode($1)); + + return unless $data =~ m{(.+?):(.+)}; + + return ($1, $2); +} + 1;