FAQ
I'm currently using password authentication in a Catalyst app, but would
like to implement a way to log in as a particular user, without knowing
the password. (Please don't respond with "don't do this"... I'm aware
of the security ramifications of this kind of functionality).

I'll already have all the information on the user, except for their
password, since we hash the password before storing it.

The end goal would be to have an authenticated session.

Thanks!
- Jim

Search Discussions

  • Ash Berlin at Mar 11, 2008 at 6:37 pm

    On 11 Mar 2008, at 18:33, Jim Spath wrote:

    I'm currently using password authentication in a Catalyst app, but
    would like to implement a way to log in as a particular user,
    without knowing the password. (Please don't respond with "don't do
    this"... I'm aware of the security ramifications of this kind of
    functionality).

    I'll already have all the information on the user, except for their
    password, since we hash the password before storing it.

    The end goal would be to have an authenticated session.

    Thanks!
    - Jim

    *WARNING* might not work with the new auth framework. But here's some
    code:

    sub login_as : Local Args(1) {
    my ($self, $c, $user_id) = @_;

    $c->res->redirect($c->uri_for()) if $user_id =~ /\D/;

    my $user = $c->model('DBIC::User')->find($user_id);

    if ($user) {
    $c->set_authenticated($c->find_user({ id => $user->email}));
    $c->flash(message => "Logged in as @{[$user->email]}");
    }

    return $c->res->redirect('/');
    }
  • Ashley Pond V at Mar 11, 2008 at 6:47 pm

    On Mar 11, 2008, at 11:37 AM, Ash Berlin wrote:
    On 11 Mar 2008, at 18:33, Jim Spath wrote:

    I'm currently using password authentication in a Catalyst app, but
    would like to implement a way to log in as a particular user,
    without knowing the password. (Please don't respond with "don't
    do this"... I'm aware of the security ramifications of this kind
    of functionality).

    I'll already have all the information on the user, except for
    their password, since we hash the password before storing it.

    The end goal would be to have an authenticated session.

    Thanks!
    - Jim
    Untested. I believe authenticate() will authenticate anything it
    matches.

    if ( $super_secret_your_responsibility_server_side_something )
    {
    $c->authenticate({ email => $c->request->body_params->
    {'email'}, # unique!
    });
    }
    else # normal login
    {
    $c->authenticate({ email => $c->request->body_params->
    {'email'},
    password => sha1_hex($c->request-
    body_params->{'password'})
    });
    }

    *WARNING* might not work with the new auth framework. But here's
    some code:

    sub login_as : Local Args(1) {
    my ($self, $c, $user_id) = @_;

    $c->res->redirect($c->uri_for()) if $user_id =~ /\D/;

    my $user = $c->model('DBIC::User')->find($user_id);

    if ($user) {
    $c->set_authenticated($c->find_user({ id => $user->email}));
    $c->flash(message => "Logged in as @{[$user->email]}");
    }

    return $c->res->redirect('/');
    }
  • Jay K at Mar 11, 2008 at 6:58 pm
    tsk tsk. Using internal methods. ;-)

    There's actually a much easier way to do this.

    Step 1: Create a duplicate realm to your normal realm. Call it
    'passwordless' or something.
    Only instead of password_type => 'crypted' or whatever - set
    password_type => 'none'.

    Step 2: use the passwordless realm.

    Step 3: There is no step 3.


    Just make your auth call look like this - IE leave out the password
    altogether, and use the passwordless realm.

    $c->authenticate({ username => $usernamevariable }, 'passwordless');

    *poof* passwordless authentication.

    Just for the record - just because you can doesn't mean you should.
    Don't take this as a recommendation, more of a 'how to if you are
    really determined to do that.'

    Jay
    On Mar 11, 2008, at 12:37 PM, Ash Berlin wrote:

    On 11 Mar 2008, at 18:33, Jim Spath wrote:

    I'm currently using password authentication in a Catalyst app, but
    would like to implement a way to log in as a particular user,
    without knowing the password. (Please don't respond with "don't do
    this"... I'm aware of the security ramifications of this kind of
    functionality).

    I'll already have all the information on the user, except for their
    password, since we hash the password before storing it.

    The end goal would be to have an authenticated session.

    Thanks!
    - Jim

    *WARNING* might not work with the new auth framework. But here's
    some code:

    sub login_as : Local Args(1) {
    my ($self, $c, $user_id) = @_;

    $c->res->redirect($c->uri_for()) if $user_id =~ /\D/;

    my $user = $c->model('DBIC::User')->find($user_id);

    if ($user) {
    $c->set_authenticated($c->find_user({ id => $user->email}));
    $c->flash(message => "Logged in as @{[$user->email]}");
    }

    return $c->res->redirect('/');
    }


    _______________________________________________
    List: Catalyst@lists.scsys.co.uk
    Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
    Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
    Dev site: http://dev.catalyst.perl.org/
    ---
    For most things, throwing yourself at the wall over and over is a
    better way to improve than thinking hard about the wall and taking
    pictures of it. -- D.Litwack
  • Kevin montuori at Mar 11, 2008 at 6:42 pm
    "JS" == Jim Spath writes:
    JS> I'm currently using password authentication in a Catalyst app,
    JS> but would like to implement a way to log in as a particular user,
    JS> without knowing the password. (Please don't respond with "don't
    JS> do this"... I'm aware of the security ramifications of this kind
    JS> of functionality).

    JS> I'll already have all the information on the user, except for
    JS> their password, since we hash the password before storing it.

    JS> The end goal would be to have an authenticated session.


    i had an authentication credential plugin that looks like this to
    handle authentication without actually authenticating. this is
    essentially untested, but if memory serves, it worked back when i
    though i was going to have to use an SSO solution.

    package Catalyst::Plugin::Authentication::Credential::SSO;

    use strict;

    sub new {
    my ($class, $config, $app) = @_;
    my $self = { _config => $config };
    return bless $self, $class;
    }

    sub authenticate {
    my ($self, $c, $authstore, $authinfo) = @_;
    my $user_obj = $authstore->find_user($authinfo, $c);
    if (ref $user_obj) {
    return $user_obj;
    }
    else {
    $c->log->error("Unable to locate user in user store.");
    return;
    }
    }

    1;






    --
    kevin montuori

    montuori@gmail.com
    AIM: ignavusinfo

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedMar 11, '08 at 6:31p
activeMar 11, '08 at 6:58p
posts5
users5
websitecatalystframework.org
irc#catalyst

People

Translate

site design / logo © 2021 Grokbase