Create two Catalyst auth realms (::UsernamePassword and ::APIKey)

pypt · pypt · commit baf68381150e · 2017-05-25T06:20:32.000+03:00
diff --git a/lib/Catalyst/Authentication/Credential/MediaWords/APIKey.pm b/lib/Catalyst/Authentication/Credential/MediaWords/APIKey.pm
@@ -0,0 +1,69 @@
+package Catalyst::Authentication::Credential::MediaWords::APIKey;
+
+#
+# Authenticate users with API key.
+#
+
+use strict;
+use warnings;
+
+use Moose;
+use namespace::autoclean;
+
+with 'MooseX::Emulate::Class::Accessor::Fast';
+
+use Catalyst::Exception ();
+use Readonly;
+
+__PACKAGE__->mk_accessors( qw/realm/ );
+
+use MediaWords::DBI::Auth::Login;
+
+# API key parameter
+Readonly our $API_KEY_FIELD => 'key';
+
+sub new
+{
+    my ( $class, $config, $app, $realm ) = @_;
+
+    my $self = {};
+    bless $self, $class;
+
+    $self->realm( $realm );
+
+    return $self;
+}
+
+sub authenticate
+{
+    my ( $self, $c, $realm, $authinfo ) = @_;
+
+    my $db = $c->dbis;
+
+    my $api_key    = $authinfo->{ $API_KEY_FIELD };
+    my $ip_address = $c->request_ip_address();
+
+    if ( $api_key and $ip_address )
+    {
+
+        my $user;
+        eval { $user = MediaWords::DBI::Auth::Login::login_with_api_key( $db, $api_key, $ip_address ); };
+        unless ( $@ or ( !$user ) )
+        {
+            my $user_obj = $realm->find_user( { username => $user->email() }, $c );
+            if ( ref( $user_obj ) )
+            {
+                return $user_obj;
+            }
+        }
+    }
+
+    if ( $c->debug )
+    {
+        $c->log->debug( 'Unable to locate user matching user info provided in realm: ' . $realm->name );
+    }
+
+    return undef;
+}
+
+__PACKAGE__;
diff --git a/lib/Catalyst/Authentication/Credential/MediaWords/UsernamePassword.pm b/lib/Catalyst/Authentication/Credential/MediaWords/UsernamePassword.pm
@@ -1,9 +1,7 @@
-package Catalyst::Authentication::Credential::MediaWords;
+package Catalyst::Authentication::Credential::MediaWords::UsernamePassword;
 
 #
-# Media Cloud Catalyst credentials package, uses ::DBI::Auth to do the authentication.
-#
-# Adapted from Catalyst::Authentication::Credential::Password.
+# Authenticate users with username and password.
 #
 
 use strict;
@@ -42,23 +40,20 @@ sub authenticate
 
     my $db = $c->dbis;
 
-    ## because passwords may be in a hashed format, we have to make sure that we remove the
-    ## password_field before we pass it to the user routine, as some auth modules use
-    ## all data passed to them to find a matching user...
-    my $userfindauthinfo = { %{ $authinfo } };
-    delete( $userfindauthinfo->{ $PASSWORD_FIELD } );
+    my $username = $authinfo->{ $USERNAME_FIELD };
+    my $password = $authinfo->{ $PASSWORD_FIELD };
 
-    my $user_obj = $realm->find_user( $userfindauthinfo, $c );
-    if ( ref( $user_obj ) )
-    {
-        my $username = $authinfo->{ $USERNAME_FIELD };
-        my $password = $authinfo->{ $PASSWORD_FIELD };
+    if ( $username and $password ) {
 
         my $user;
         eval { $user = MediaWords::DBI::Auth::Login::login_with_email_password( $c->dbis, $username, $password ); };
         unless ( $@ or ( !$user ) )
         {
-            return $user_obj;
+            my $user_obj = $realm->find_user( { username => $user->email() }, $c );
+            if ( ref( $user_obj ) )
+            {
+                return $user_obj;
+            }
         }
     }
 
diff --git a/lib/MediaWords.pm b/lib/MediaWords.pm
@@ -14,6 +14,7 @@ use MediaWords::Util::Config;
 use MediaWords::DBI::Auth::Roles;
 
 use Net::IP;
+use Readonly;
 use URI;
 
 # Set flags and add plugins for the application
@@ -54,15 +55,23 @@ use HTML::FormFu::Unicode;
 
 my $config = __PACKAGE__->config( -name => 'MediaWords' );
 
+# Authentication realms
+Readonly our $AUTH_REALM_USERNAME_PASSWORD => 'mc_auth_realm_username_password';
+Readonly our $AUTH_REALM_API_KEY           => 'mc_auth_realm_api_key';
+
 # Configure authentication scheme
 __PACKAGE__->config( 'Plugin::Static::Simple' => { dirs => [ 'gexf', 'nv' ] } );
 __PACKAGE__->config(
     'Plugin::Authentication' => {
-        'default_realm' => 'users',
-        'users'         => {
-            'credential' => { 'class' => 'MediaWords' },
+        'default_realm'               => $AUTH_REALM_USERNAME_PASSWORD,
+        $AUTH_REALM_USERNAME_PASSWORD => {
+            'credential' => { 'class' => 'MediaWords::UsernamePassword' },
             'store'      => { 'class' => 'MediaWords' }
-        }
+        },
+        $AUTH_REALM_API_KEY => {
+            'credential' => { 'class' => 'MediaWords::APIKey' },
+            'store'      => { 'class' => 'MediaWords' }
+        },
     }
 );
 
diff --git a/lib/MediaWords/ActionRole/AbstractAuthenticatedActionRole.pm b/lib/MediaWords/ActionRole/AbstractAuthenticatedActionRole.pm
@@ -16,6 +16,7 @@ use namespace::autoclean;
 use Data::Dumper;
 use HTTP::Status qw(:constants);
 
+use Catalyst::Authentication::Credential::MediaWords::APIKey;
 use MediaWords::DBI::Auth;
 
 # test whether the authenticated user has $permission_type access to the topic in the path of the currently requested
@@ -94,12 +95,16 @@ sub _user_email_and_roles($$)
 {
     my ( $self, $c ) = @_;
 
+    my $db = $c->dbis;
+
     my $user_email = undef;
     my @user_roles;
 
-    # 1. If the request has the "key" parameter, force authenticating via API
+    my $api_key_param = $Catalyst::Authentication::Credential::MediaWords::APIKey::API_KEY_FIELD;
+
+    # 1. If the request has the API key parameter, force authenticating via API
     #    key (even if the user is logged in)
-    if ( $c->request->param( 'key' ) )
+    if ( $c->request->param( $api_key_param ) )
     {
 
         my $api_auth = undef;
@@ -109,7 +114,10 @@ sub _user_email_and_roles($$)
         }
         else
         {
-            $api_auth = MediaWords::DBI::Auth::Login::login_with_api_key_catalyst( $c );
+            if ( $c->authenticate( { key => $c->request->param( $api_key_param ) }, $MediaWords::AUTH_REALM_API_KEY ) )
+            {
+                $api_auth = MediaWords::DBI::Auth::Profile::user_info( $db, $c->user->username );
+            }
         }
 
         if ( $api_auth )
diff --git a/lib/MediaWords/Controller/Api/V2/Auth.pm b/lib/MediaWords/Controller/Api/V2/Auth.pm
@@ -97,7 +97,7 @@ sub profile : Local
     my $db = $c->dbis;
 
     my $userinfo;
-    eval { $userinfo = MediaWords::DBI::Auth::Login::login_with_api_key_catalyst( $c ); };
+    eval { $userinfo = MediaWords::DBI::Auth::Profile::user_info( $db, $c->user->username ); };
     if ( $@ or ( !$userinfo ) )
     {
         die "Unable to find user for given API key.";
diff --git a/lib/MediaWords/Controller/Api/V2/Media.pm b/lib/MediaWords/Controller/Api/V2/Media.pm
@@ -494,7 +494,7 @@ sub submit_suggestion_GET
     my $feed_url = $data->{ feed_url } || 'none';
     my $reason   = $data->{ reason } || 'none';
 
-    my $user          = MediaWords::DBI::Auth::Login::login_with_api_key_catalyst( $c );
+    my $user = MediaWords::DBI::Auth::Profile::user_info( $db, $c->user->username );
     my $auth_users_id = $user->id();
 
     $db->begin;
@@ -586,7 +586,7 @@ sub mark_suggestion_PUT
 
     my $db = $c->dbis;
 
-    my $user          = MediaWords::DBI::Auth::Login::login_with_api_key_catalyst( $c );
+    my $user = MediaWords::DBI::Auth::Profile::user_info( $db, $c->user->username );
     my $auth_users_id = $user->id();
 
     die( "status must be pending, approved, or rejected" )
diff --git a/lib/MediaWords/Controller/Login.pm b/lib/MediaWords/Controller/Login.pm
@@ -85,7 +85,15 @@ sub index : Path : Args(0)
     }
 
     # Attempt to log the user in
-    if ( $c->authenticate( { username => $email, password => $password } ) )
+    if (
+        $c->authenticate(
+            {
+                username => $email,
+                password => $password,
+            },
+            $MediaWords::AUTH_REALM_USERNAME_PASSWORD
+        )
+      )
     {
         if ( $form->params->{ referer } )
         {
diff --git a/lib/MediaWords/DBI/Auth/Login.pm b/lib/MediaWords/DBI/Auth/Login.pm
@@ -14,9 +14,6 @@ use Readonly;
 
 use MediaWords::DBI::Auth::Profile;
 
-# API key HTTP GET parameter
-Readonly my $API_KEY_PARAMETER => 'key';
-
 # Post-unsuccessful login delay (in seconds)
 Readonly my $POST_UNSUCCESSFUL_LOGIN_DELAY => 1;
 
@@ -244,18 +241,4 @@ SQL
     return $user;
 }
 
-# Fetch user object for the API key, using Catalyst's object.
-# Only active users are fetched.
-# die()s on error
-sub login_with_api_key_catalyst($)
-{
-    my $c = shift;
-
-    my $db         = $c->dbis;
-    my $api_key    = $c->request->param( $API_KEY_PARAMETER . '' );
-    my $ip_address = $c->request_ip_address();
-
-    return login_with_api_key( $db, $api_key, $ip_address );
-}
-
 1;

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ sub profile : Local`
`97`	`97`	`my $db = $c->dbis;`
`98`	`98`
`99`	`99`	`my $userinfo;`
`100`		`- eval { $userinfo = MediaWords::DBI::Auth::Login::login_with_api_key_catalyst( $c ); };`
	`100`	`+ eval { $userinfo = MediaWords::DBI::Auth::Profile::user_info( $db, $c->user->username ); };`
`101`	`101`	`if ( $@ or ( !$userinfo ) )`
`102`	`102`	`{`
`103`	`103`	`die "Unable to find user for given API key.";`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,15 @@ sub index : Path : Args(0)`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`# Attempt to log the user in`
`88`		`- if ( $c->authenticate( { username => $email, password => $password } ) )`
	`88`	`+ if (`
	`89`	`+ $c->authenticate(`
	`90`	`+ {`
	`91`	`+ username => $email,`
	`92`	`+ password => $password,`
	`93`	`+ },`
	`94`	`+ $MediaWords::AUTH_REALM_USERNAME_PASSWORD`
	`95`	`+ )`
	`96`	`+ )`
`89`	`97`	`{`
`90`	`98`	`if ( $form->params->{ referer } )`
`91`	`99`	`{`