[Catalyst] bypassing password authentication

[Jim Spath]

I'm currently using password authentication in a Catalyst app, but would 
like to implement a way to log in as a particular user, without knowing 
the password.  (Please don't respond with don't do this... I'm aware 
of the security ramifications of this kind of functionality).


I'll already have all the information on the user, except for their 
password, since we hash the password before storing it.


The end goal would be to have an authenticated session.

Thanks!
- Jim

___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] bypassing password authentication

[Ash Berlin]

On 11 Mar 2008, at 18:33, Jim Spath wrote:

I'm currently using password authentication in a Catalyst app, but  
would like to implement a way to log in as a particular user,  
without knowing the password.  (Please don't respond with don't do  
this... I'm aware of the security ramifications of this kind of  
functionality).


I'll already have all the information on the user, except for their  
password, since we hash the password before storing it.


The end goal would be to have an authenticated session.

Thanks!
- Jim



*WARNING* might not work with the new auth framework. But here's some  
code:


sub login_as : Local Args(1) {
  my ($self, $c, $user_id) = @_;

  $c-res-redirect($c-uri_for()) if $user_id =~ /\D/;

  my $user = $c-model('DBIC::User')-find($user_id); 

  if ($user) {
$c-set_authenticated($c-find_user({ id = $user-email}));
$c-flash(message = Logged in as @{[$user-email]});
  }

  return $c-res-redirect('/');
}


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] bypassing password authentication

[Jay K]

tsk tsk. Using internal methods. ;-)

There's actually a much easier way to do this.

Step 1:  Create a duplicate realm to your normal realm.  Call it
'passwordless' or something.
Only instead of password_type = 'crypted' or whatever - set
password_type = 'none'.

Step 2:  use the passwordless realm.

Step 3:  There is no step 3.


Just make your auth call look like this - IE leave out the password
altogether, and use the passwordless realm.

$c-authenticate({ username = $usernamevariable }, 'passwordless');

*poof*  passwordless authentication.

Just for the record - just because you can doesn't mean you should.
Don't take this as a recommendation, more of a 'how to if you are
really determined to do that.'

Jay

On Mar 11, 2008, at 12:37 PM, Ash Berlin wrote:



On 11 Mar 2008, at 18:33, Jim Spath wrote:


I'm currently using password authentication in a Catalyst app, but
would like to implement a way to log in as a particular user,
without knowing the password.  (Please don't respond with don't do
this... I'm aware of the security ramifications of this kind of
functionality).

I'll already have all the information on the user, except for their
password, since we hash the password before storing it.

The end goal would be to have an authenticated session.

Thanks!
- Jim



*WARNING* might not work with the new auth framework. But here's
some code:

sub login_as : Local Args(1) {
 my ($self, $c, $user_id) = @_;

 $c-res-redirect($c-uri_for()) if $user_id =~ /\D/;

 my $user = $c-model('DBIC::User')-find($user_id);

 if ($user) {
   $c-set_authenticated($c-find_user({ id = $user-email}));
   $c-flash(message = Logged in as @{[$user-email]});
 }

 return $c-res-redirect('/');
}


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


---
For most things, throwing yourself at the wall over and over is a
better way to improve than thinking hard about the wall and taking
pictures of it.  -- D.Litwack



___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/