diff options
| -rw-r--r-- | lib/Fripost/Session.pm | 24 | ||||
| -rw-r--r-- | run.psgi | 12 |
2 files changed, 16 insertions, 20 deletions
diff --git a/lib/Fripost/Session.pm b/lib/Fripost/Session.pm index 888385f..8cf6405 100644 --- a/lib/Fripost/Session.pm +++ b/lib/Fripost/Session.pm @@ -31,10 +31,10 @@ use Crypt::URandom "urandom"; use Fripost (); -# create(Fripost object) +# new(Fripost object) # Create a new ephemeral session from a Fripost object, and return # suitable credentials for later SASL proxy authorization. -sub create($$) { +sub new($$) { my ($class, $fp) = @_; # don't base64-encode but hex-encode as the commonName is case-insensitive @@ -68,23 +68,23 @@ sub create($$) { bless \%creds, $class; } -# authenticate(CREDENTIALS, OPTION => VALUE, ..) +# authenticate(OPTION => VALUE, ..) # Create a new Fripost object and return it after authentication # (using SASL proxy authorization with the ephemeral credentials). # If the "refresh" is set (the default), then TTL value of the entry # on the backup is refreshed. sub authenticate($%) { - my $creds = shift; + my $self = shift; my %conf = @_; my $refresh = delete $conf{refresh} // 1; my $authcid = sprintf($conf{ldap}->{"session-authcID"} // "%s", - $creds->{authcid}); + $self->{authcid}); my $sasl = Authen::SASL::->new( mechanism => "PLAIN", callback => { user => $authcid - , pass => $creds->{password} - , authname => $creds->{authzid} + , pass => $self->{password} + , authname => $self->{authzid} }) or die "Creation of Authen::SASL object failed"; my $fp = Fripost::->new(%conf); @@ -94,7 +94,7 @@ sub authenticate($%) { if ($refresh) { my $dn = sprintf($conf{ldap}->{"session-authcDN"} // "%s", - escape_dn_value($creds->{authcid})); + escape_dn_value($self->{authcid})); my $ttl = $conf{www}->{"cache-expires"}; $r = $fp->{_ldap}->refresh(entryName => $dn, requestTtl => $ttl); $fp->croak("LDAP error code %i: %s\n", $r->code, $r->error) @@ -103,17 +103,17 @@ sub authenticate($%) { return $fp; } -# authenticate(CREDENTIALS, OPTION => VALUE, ..) +# authenticate(OPTION => VALUE, ..) # Create a new Fripost object, authenticate (using SASL proxy # authorization), and delete the entry on the LDAP backend. sub destroy($%) { - my $creds = shift; + my $self = shift; my %conf = @_; my $dn = sprintf($conf{ldap}->{"session-authcDN"} // "%s", - escape_dn_value($creds->{authcid})); + escape_dn_value($self->{authcid})); - my $fp = authenticate($creds, %conf, refresh => 0); + my $fp = authenticate($self, %conf, refresh => 0); my $r = $fp->{_ldap}->delete($dn); $fp->croak("LDAP error code %i: %s\n", $r->code, $r->error) unless $r->code == LDAP_SUCCESS; @@ -191,7 +191,7 @@ $builder->mount("/login" => sub($) { # $creds contains its own authentication ID; we're can't use # the session ID because the new one isn't available until # after the function exits - $req->session->{credentials} = Fripost::Session::->create($fp); + $req->session->{credentials} = Fripost::Session::->new($fp); # login was successful; get a new session ID now, to protect # against session fixation attacks @@ -239,9 +239,7 @@ $builder->mount("/logout" => sub($) { if (defined (eval { csrf_token_validate($req) })) { # silently try to destroy the session on the LDAP backend - Fripost::Session::destroy($req->session->{credentials}, - %CONFIG, onerror => sub($@) {} - ); + $req->session->{credentials}->destroy(%CONFIG, onerror => sub($@) {}); # force the session to expire in our local cache delete $req->session->{credentials}; @@ -273,10 +271,8 @@ $builder->mount($WELCOME_PAGE => sub($) { my %tmpl_params; my $r = eval { - # auth using the session credentials (refresh the entry) - Fripost::Session::authenticate($req->session->{credentials}, - %CONFIG, onerror => \&throw - ); + # authenticate the session credentials (and refresh the entry) + $req->session->{credentials}->authenticate(%CONFIG, onerror => \&throw); }; if (defined $r) { $tmpl_params{AUTHZID} = $req->session->{credentials}->{authzid}; |