The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.
 / 
CGI-AuthenticationFramework-0.08
/ CGI::AuthenticationFramework

NAME

CGI::AuthenticationFramework - A CGI authentication framework that utilizes mySQL for the user and session management

VERSION

Version 0.08

SYNOPSIS

Allows the login authentication, registration of user accounts, and password reset of webbased users.

Sample CGI script :-

        #!/usr/bin/perl

        use strict;
        use CGI::AuthenticationFramework;
        use DBI;
        use CGI;
        my $cgi = new CGI;
        
        # == connect to the database
        my $dbh = DBI->connect("DBI:mysql:database=DATABASE;host=SERVERNAME",'username','password') || die $DBI::errstr;

        # == create the authentication link
        my $sec = CGI::AuthenticationFramework->new({
                dbh     => $dbh,
                cgi     => $cgi
                });
        
        # == create the tables
        $sec->setup_database(); # run this only once for performance.. No damage to keep it there
        
        # == do we go through, or block access.. This is where the rubber meets the road
        $sec->secure();
        
        # == once we get through that, we can send our headers
        print $sec->header();

        # == We can call some additional functions
        print "<a href=\"javascript:void();\" onclick=\"javascript:securefunction('logout');\">Logout</a>\n";
        print "<a href=\"javascript:void();\" onclick=\"javascript:securefunction('password');\">Change password</a>\n";
        
        print "<p>\n";
        print "This is the secret message.<br>\n";
        print "Email Address is $sec->{username}<br>\n";
        print "Session ID is $sec->{session}<br>\n";
        print "</p>";
        print "<a href=\"#\">Me again</a>\n";
        
        # == when we're done, we call the finish function.  This clears the data connection, and prints the footer code
        $sec->finish();

FUNCTIONS

new

Creates a new authentication connection

        my $sec = CGI::AuthenticationFramework->new({
                dbh     => $dbh,
                cgi     => $cgi
        });

Options

dbh

Defined the database handle to use

cgi

Defines the CGI handle to use

The name of the cookie (default is 'my_cookie')

Default header code to include

Default footer code to include

yubikey

To enable yubikey support, set to 1.

When you enable yubikey support, you have to set the yubi_id and yubi_api fields as well. To get these, you need to sign up at https://upgrade.yubico.com/getapikey/

timeout

Defines the timeout before a user has to log on again. Default is 600 seconds.

register

If you need users to register on their own, set the register option to 1. Default is 0

forgot

If you need users to have the ability to reset their passwords by emailing a new one to them, set this option to 1. Default is 0. =head4 SMTP server settings

If you have register enabled, you need to specify SMTP settings

smtpserver

The hostname of the SMTP server

smtpfrom

The from email address to use when sending emails

smtpuser , smtppass

The smtpuser and smtppass parameters are optional. If your SMTP server requires you to authenticate, set these two fields.

captcha

Defined if you want to use a captcha. Default is 0.

Sign up for a free API from https://www.google.com/recaptcha/admin/create and enter the values in captcha_public and captcha_private

secure

The main gatekeeper.. Checks if the session is valid. If not, pass control to the login screen. If the session is still valid, the timeout is reset, and control is returned to the main program.

header

Works identical to CGI::header. The only difference is the adding of a cookie to the header, and passing the header value if defined from the new function.

finish

Function to send the footer, and sign everything off. Call this function last (or if you want to terminate the program

form

Generates an HTML form based on a schema

form (schema,submit text,hidden func field,title for the header,captcha option,%VALUES)

Schema format (field name, description, type, validation, sql)

fieldname

The field name that will be used in SQL and param calls

description

The field name that will be displayed

type

The type of the field, ie text, textarea, dropdown, or password

size

Defines the size of the field.

validation

Defines the input data check that will be performed to ensure the input validation is passed. Options can be email, password, number or text.

sql

Defines the SQL query to execute that will populate a dropdown list, should you use a dropdown.

form_update

Updates the data in the table

input : schema, table name

form_edit

Shows the edit form after an id was passed to it

input : schema, table, title, button text, func field

form_delete

Deletes the entry from the table

form_insert

Takes the input from a form, and inserts it into a database

Input : schema, table, default values (for readonly fields)

form_list

Show the result of a SQL table

form_create_table

Create a mySQL table based on a schema definition

input : schema, table name

set_variable

Defines a session variable

input : parameter, value

get_variable

Retrieves a session variable

input : parameter

Output : value

setup_database

Call this module once to setup the database tables. Running it multiple times will only introduce excessive load on the DB, but won't delete any tables.

It will create the tables tbl_users, tbl_session, and tbl_logs.

It will also create the default user 'admin', with it's password 'password'. Remember to change this password on your first logon.

AUTHOR

Phil Massyn, <phil at massyn.net>

TODO

Bugs

New features * Form list -- allow "next page" if it returns more than ie 30 items on a page * Searching of tables * Admin module to administer user accounts and reset passwords * Customize register and forget emails being sent * Authorization module (ie group membership)

Enhancements * Clean up of logs older than 12 months (should be customizable) * Ability to record additional fields during registration * Form list -- add custom fields (ie add actions like Edit & Delete to it) * Change form_* functions to use hashes as inputs, not seperate fields * Change dropdown & select to use native CGI parameters * Change javascript calls to use native cgi->a calls

REVISION 0.08 Change order of form_list by clicking headers Create tbl_session_vars table Added session variables through get_variable and set_variable Added housekeeping to remove orphaned table entries Fixed dropdown bug not selecting the right value

0.07 Fixed GET blocking not to prevent register and forget from working Added field in database to indicate administrators Prevented "password" fields from being displayed in lists Added the 2nd field to self param Encrypt passwords when using form_insert function Encrypt passwords if they're being changed through form_update Fixed number validation when validating a 0. Added a text input validation

0.06 Added autocomplete to login form Added form_delete function Added strong password enforcement Removed debug logs from captcha procedure Added logging when database gets changed

0.05 Fixed xss to check all array elements when calling fetchrow_array Replaced all GET with POST functions, and prevent futher usage of GET Added form_edit function Fixed missing hidden id in form function Updated param function to strip unsafe characters

0.04 Updated form to handle hidden field, and input values Added textarea, and readonly fields Included dropdown with SQL in the schema support Added form_create_table Added form_insert Added form_list Added HTML::Entities for encoding output string (prevent cross site scripting) Changed the cookie's session ID to reset on every click Make the cookie secure

0.03 Added no-cache tags to header function Added input validation procedure Added input validation for tokens Moved valid_email procedure into validate_input Fixed omission of $forgot parameter check on sub forgot Added reCaptcha

0.02 Added registration option (including Net::SMTP) Changed password encryption to a salted hash Added forgotten password option Logging all messages being displayed

0.01 Initial version

TODO

There is still plenty to do.

User lost a yubikey
User Administration and user maintenance console

BUGS

Please report any bugs or feature requests to bug-cgi-authenticationframework at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=CGI-AuthenticationFramework. I will be notified, and then you'llautomatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

    perldoc CGI::AuthenticationFramework

You can also look for information at:

ACKNOWLEDGEMENTS

LICENSE AND COPYRIGHT

Copyright 2013 Phil Massyn.

This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See http://dev.perl.org/licenses/ for more information.

DISCLAIMER

This module has not been scrutinized yet. It may very well contain security issues. Although unintentional, you should excersize caution, and not start deploying production systems on this code. Any bugs or issues raised will be rectified. Use this module at own risk.

2 POD Errors

The following errors were encountered while parsing the POD:

Around line 1749:

'=item' outside of any '=over'

Around line 1753:

You forgot a '=back' before '=head1'