lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm

##@file
# Web form authentication backend file

##@class
# Web form authentication backend class
package Lemonldap::NG::Portal::Auth::_WebForm;

use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(
  PE_OK
  PE_NOTOKEN
  PE_FORMEMPTY
  PE_FIRSTACCESS
  PE_CAPTCHAEMPTY
  PE_CAPTCHAERROR
  PE_TOKENEXPIRED
  PE_MALFORMEDUSER
  PE_PASSWORDFORMEMPTY
);

our $VERSION = '2.0.14';

extends qw(
  Lemonldap::NG::Portal::Main::Auth
  Lemonldap::NG::Portal::Lib::_tokenRule
);

has authnLevel => (
    is      => 'rw',
    lazy    => 1,
    builder => sub {
        my $conf = $_[0]->{conf};
        return ( $conf->{portal} =~ /^https/ ? 2 : 1 );
    },
);

has captcha => ( is => 'rw' );
has ott     => ( is => 'rw' );

# INITIALIZATION

sub init {
    my $self = shift;

    if ( $self->{conf}->{captcha_login_enabled} ) {
        $self->captcha( $self->p->loadModule('::Lib::Captcha') ) or return 0;
    }
    else {
        $self->ott( $self->p->loadModule('::Lib::OneTimeToken') ) or return 0;
        $self->ott->timeout( $self->conf->{formTimeout} );
    }
    return 1;
}

# RUNNING METHODS

# Read username and password from POST data
sub extractFormInfo {
    my ( $self, $req ) = @_;

    if ( $req->param('user') ) {
        unless ( $req->param('user') =~ /$self->{conf}->{userControl}/o ) {
            $self->setSecurity($req);
            return PE_MALFORMEDUSER;
        }
    }

    # Detect first access and empty forms
    my $defUser        = defined $req->param('user');
    my $defPassword    = defined $req->param('password');
    my $defOldPassword = defined $req->param('oldpassword');
    my $res            = PE_OK;

    # 1. No user defined at all -> first access
    # _pwdCheck is a workaround to make CheckUser work while using a GET
    unless ( $defUser
        and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
    {
        $res = PE_FIRSTACCESS;
    }

    # 2. If user and password defined -> login form
    elsif ( $defUser and $defPassword ) {
        $res = PE_FORMEMPTY
          unless ( ( $req->{user} = $req->param('user') )
            && ( $req->data->{password} = $req->param('password') ) );
    }

    # 3. If user and oldpassword defined -> password form
    elsif ( $defUser and $defOldPassword ) {
        $res = PE_PASSWORDFORMEMPTY
          unless (
               ( $req->{user} = $req->param('user') )
            && ( $req->data->{oldpassword} = $req->param('oldpassword') )
            && ( $req->data->{newpassword} = $req->param('newpassword') )
            && ( $req->data->{confirmpassword} =
                $req->param('confirmpassword') )
          );
    }

    # If form seems empty
    if ( $res != PE_OK ) {
        $self->setSecurity($req);
        return $res;
    }

    # Security: check for captcha or token
    if ( not $req->data->{'skipToken'}
        and ( $self->captcha or $self->ottRule->( $req, {} ) ) )
    {
        my $token;
        unless ( $token = $req->param('token') or $self->captcha ) {
            $self->userLogger->error('Authentication tried without token');
            $self->ott->setToken($req);
            return PE_NOTOKEN;
        }

        if ( $self->captcha ) {
            my $code = $req->param('captcha');
            unless ($code) {
                $self->captcha->setCaptcha($req);
                return PE_CAPTCHAEMPTY;
            }
            unless ( $self->captcha->validateCaptcha( $token, $code ) ) {
                $self->captcha->setCaptcha($req);
                $self->userLogger->warn(
                    "Captcha failed: wrong or expired code");
                return PE_CAPTCHAERROR;
            }
            $self->logger->debug("Captcha code verified");
        }
        elsif ( $self->ottRule->( $req, {} ) ) {
            unless ( $req->data->{tokenVerified}
                or $self->ott->getToken($token) )
            {
                $self->ott->setToken($req);
                $self->userLogger->warn('Token expired');
                return PE_TOKENEXPIRED;
            }
            $req->data->{tokenVerified} = 1;
        }
    }

    # Other parameters
    $req->data->{timezone} = $req->param('timezone');

    return PE_OK;
}

# Set password in session data if wanted.
sub setAuthSessionInfo {
    my ( $self, $req ) = @_;

    # authenticationLevel
    $req->{sessionInfo}->{authenticationLevel} = $self->authnLevel;

    # Store submitted password if set in configuration
    # WARNING: it can be a security hole
    if ( $self->conf->{storePassword} ) {
        $req->{sessionInfo}->{'_password'} = $req->data->{'newpassword'}
          || $req->data->{'password'};
    }

    # Store user timezone
    $req->{sessionInfo}->{'_timezone'} = $self->{'timezone'};

    return PE_OK;
}

# @return display type
sub getDisplayType {
    return "standardform";
}

sub setSecurity {
    my ( $self, $req ) = @_;
    return if $req->data->{skipToken};

    # If captcha is enable, prepare it
    if ( $self->captcha ) {
        $self->captcha->setCaptcha($req);
    }

    # Else get token
    elsif ( $self->ottRule->( $req, {} ) ) {
        $self->ott->setToken($req);
    }
}

1;
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`##@file`
			`# Web form authentication backend file`

			`##@class`
			`# Web form authentication backend class`
			`package Lemonldap::NG::Portal::Auth::_WebForm;`

			`use strict;`
			`use Mouse;`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`use Lemonldap::NG::Portal::Main::Constants qw(`
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`PE_OK`
			`PE_NOTOKEN`
			`PE_FORMEMPTY`
			`PE_FIRSTACCESS`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`PE_CAPTCHAEMPTY`
			`PE_CAPTCHAERROR`
			`PE_TOKENEXPIRED`
			`PE_MALFORMEDUSER`
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`PE_PASSWORDFORMEMPTY`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`);`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
Fix versions 2022-02-01 16:33:08 +01:00			`our $VERSION = '2.0.14';`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`extends qw(`
			`Lemonldap::NG::Portal::Main::Auth`
			`Lemonldap::NG::Portal::Lib::_tokenRule`
			`);`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
Enable setAuthSessionInfo (#595) 2016-12-01 23:25:05 +01:00			`has authnLevel => (`
			`is => 'rw',`
Mark some properties "lazy" to be sure conf is intialized (#595) 2017-03-27 18:51:18 +02:00			`lazy => 1,`
Enable setAuthSessionInfo (#595) 2016-12-01 23:25:05 +01:00			`builder => sub {`
			`my $conf = $_[0]->{conf};`
			`return ( $conf->{portal} =~ /^https/ ? 2 : 1 );`
			`},`
			`);`

Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`has captcha => ( is => 'rw' );`
			`has ott => ( is => 'rw' );`

Update comments (#595) 2016-06-09 20:40:20 +02:00			`# INITIALIZATION`

New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`sub init {`
Use OTT rule (#1694) 2019-04-05 17:24:07 +02:00			`my $self = shift;`
Use rule to enable OTT (#1694) 2019-04-03 23:28:45 +02:00
			`if ( $self->{conf}->{captcha_login_enabled} ) {`
			`$self->captcha( $self->p->loadModule('::Lib::Captcha') ) or return 0;`
			`}`
			`else {`
			`$self->ott( $self->p->loadModule('::Lib::OneTimeToken') ) or return 0;`
			`$self->ott->timeout( $self->conf->{formTimeout} );`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`}`
			`return 1;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`

Update comments (#595) 2016-06-09 20:40:20 +02:00			`# RUNNING METHODS`

s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`# Read username and password from POST data`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`sub extractFormInfo {`
Tidy 2016-04-29 09:27:26 +02:00			`my ( $self, $req ) = @_;`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00
Test submitted user param (#1667) 2019-03-06 23:08:22 +01:00			`if ( $req->param('user') ) {`
			`unless ( $req->param('user') =~ /$self->{conf}->{userControl}/o ) {`
			`$self->setSecurity($req);`
			`return PE_MALFORMEDUSER;`
			`}`
			`}`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
			`# Detect first access and empty forms`
			`my $defUser = defined $req->param('user');`
			`my $defPassword = defined $req->param('password');`
			`my $defOldPassword = defined $req->param('oldpassword');`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`my $res = PE_OK;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
			`# 1. No user defined at all -> first access`
Fix auth process in password-testing plugins (#2611) 2021-09-10 12:27:01 +02:00			`# _pwdCheck is a workaround to make CheckUser work while using a GET`
			`unless ( $defUser`
			`and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )`
			`{`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`$res = PE_FIRSTACCESS;`
			`}`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
			`# 2. If user and password defined -> login form`
Security: verify that method is POST for main forms (#595) 2017-03-04 09:36:26 +01:00			`elsif ( $defUser and $defPassword ) {`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`$res = PE_FORMEMPTY`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`unless ( ( $req->{user} = $req->param('user') )`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`&& ( $req->data->{password} = $req->param('password') ) );`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`

			`# 3. If user and oldpassword defined -> password form`
Security: verify that method is POST for main forms (#595) 2017-03-04 09:36:26 +01:00			`elsif ( $defUser and $defOldPassword ) {`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`$res = PE_PASSWORDFORMEMPTY`
tidy 2022-02-16 17:43:29 +01:00			`unless (`
			`( $req->{user} = $req->param('user') )`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`&& ( $req->data->{oldpassword} = $req->param('oldpassword') )`
			`&& ( $req->data->{newpassword} = $req->param('newpassword') )`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`&& ( $req->data->{confirmpassword} =`
tidy 2022-02-16 17:43:29 +01:00			`$req->param('confirmpassword') )`
			`);`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`

Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`# If form seems empty`
			`if ( $res != PE_OK ) {`
Reinitialize token when login fails (#1140) 2017-03-14 17:52:11 +01:00			`$self->setSecurity($req);`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`return $res;`
			`}`

			`# Security: check for captcha or token`
Implement Resource Owner Password Credentials grant (#2155) 2020-04-17 11:48:05 +02:00			`if ( not $req->data->{'skipToken'}`
			`and ( $self->captcha or $self->ottRule->( $req, {} ) ) )`
			`{`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`my $token;`
Test if Captcha is enabled & Improve unit test (#2057) 2020-01-05 21:57:24 +01:00			`unless ( $token = $req->param('token') or $self->captcha ) {`
Replace userNotice/Error... by userLogger (#857) 2017-02-15 15:16:59 +01:00			`$self->userLogger->error('Authentication tried without token');`
Reinitialize token when login fails (#1140) 2017-03-14 18:38:50 +01:00			`$self->ott->setToken($req);`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`return PE_NOTOKEN;`
			`}`
Use rule to enable OTT (#1694) 2019-04-03 23:28:45 +02:00
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`if ( $self->captcha ) {`
			`my $code = $req->param('captcha');`
			`unless ($code) {`
Token in register form (#1140) 2017-01-26 22:42:42 +01:00			`$self->captcha->setCaptcha($req);`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`return PE_CAPTCHAEMPTY;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`unless ( $self->captcha->validateCaptcha( $token, $code ) ) {`
Token in register form (#1140) 2017-01-26 22:42:42 +01:00			`$self->captcha->setCaptcha($req);`
Tidy 2017-02-19 12:51:58 +01:00			`$self->userLogger->warn(`
			`"Captcha failed: wrong or expired code");`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`return PE_CAPTCHAERROR;`
			`}`
Replace lmLog by logger-> (#857) 2017-02-15 07:41:50 +01:00			`$self->logger->debug("Captcha code verified");`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`}`
Use OTT rule (#1694) 2019-04-05 17:24:07 +02:00			`elsif ( $self->ottRule->( $req, {} ) ) {`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`unless ( $req->data->{tokenVerified}`
Mark some properties "lazy" to be sure conf is intialized (#595) 2017-03-27 18:51:18 +02:00			`or $self->ott->getToken($token) )`
			`{`
Token in register form (#1140) 2017-01-26 22:42:42 +01:00			`$self->ott->setToken($req);`
Replace userNotice/Error... by userLogger (#857) 2017-02-15 15:16:59 +01:00			`$self->userLogger->warn('Token expired');`
Captcha and token in progress (#1140) 2017-01-24 23:05:07 +01:00			`return PE_TOKENEXPIRED;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`$req->data->{tokenVerified} = 1;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`
			`}`

			`# Other parameters`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`$req->data->{timezone} = $req->param('timezone');`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`return PE_OK;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`

s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`# Set password in session data if wanted.`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`sub setAuthSessionInfo {`
#595 in progress 2016-05-04 13:38:49 +02:00			`my ( $self, $req ) = @_;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
			`# authenticationLevel`
Little things (#595) 2016-12-02 06:47:38 +01:00			`$req->{sessionInfo}->{authenticationLevel} = $self->authnLevel;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
			`# Store submitted password if set in configuration`
			`# WARNING: it can be a security hole`
			`if ( $self->conf->{storePassword} ) {`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`$req->{sessionInfo}->{'_password'} = $req->data->{'newpassword'}`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`\|\| $req->data->{'password'};`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`

			`# Store user timezone`
Little things (#595) 2016-12-02 06:47:38 +01:00			`$req->{sessionInfo}->{'_timezone'} = $self->{'timezone'};`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`return PE_OK;`
New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`}`

LDAP in progress (#595) 2016-05-02 12:30:23 +02:00			`# @return display type`
			`sub getDisplayType {`
			`return "standardform";`
			`}`

Reinitialize token when login fails (#1140) 2017-03-14 17:52:11 +01:00			`sub setSecurity {`
Mark some properties "lazy" to be sure conf is intialized (#595) 2017-03-27 18:51:18 +02:00			`my ( $self, $req ) = @_;`
Update unit tests (#2611) 2021-09-10 12:22:30 +02:00			`return if $req->data->{skipToken};`
Mark some properties "lazy" to be sure conf is intialized (#595) 2017-03-27 18:51:18 +02:00
Reinitialize token when login fails (#1140) 2017-03-14 17:52:11 +01:00			`# If captcha is enable, prepare it`
			`if ( $self->captcha ) {`
			`$self->captcha->setCaptcha($req);`
			`}`

			`# Else get token`
Use OTT rule (#1694) 2019-04-05 17:24:07 +02:00			`elsif ( $self->ottRule->( $req, {} ) ) {`
Reinitialize token when login fails (#1140) 2017-03-14 17:52:11 +01:00			`$self->ott->setToken($req);`
			`}`
			`}`

New portal in progress (#595) 2016-03-30 07:47:38 +02:00			`1;`