[Catalyst] bypassing password authentication
Ashley
apv at sedition.com
Tue Mar 11 18:47:33 GMT 2008
On Mar 11, 2008, at 11:37 AM, Ash Berlin wrote:
> On 11 Mar 2008, at 18:33, Jim Spath wrote:
>
>> I'm currently using password authentication in a Catalyst app, but
>> would like to implement a way to log in as a particular user,
>> without knowing the password. (Please don't respond with "don't
>> do this"... I'm aware of the security ramifications of this kind
>> of functionality).
>>
>> I'll already have all the information on the user, except for
>> their password, since we hash the password before storing it.
>>
>> The end goal would be to have an authenticated session.
>>
>> Thanks!
>> - Jim
Untested. I believe authenticate() will authenticate anything it
matches.
if ( $super_secret_your_responsibility_server_side_something )
{
$c->authenticate({ email => $c->request->body_params->
{'email'}, # unique!
});
}
else # normal login
{
$c->authenticate({ email => $c->request->body_params->
{'email'},
password => sha1_hex($c->request-
>body_params->{'password'})
});
}
>
>
> *WARNING* might not work with the new auth framework. But here's
> some code:
>
> sub login_as : Local Args(1) {
> my ($self, $c, $user_id) = @_;
>
> $c->res->redirect($c->uri_for()) if $user_id =~ /\D/;
>
> my $user = $c->model('DBIC::User')->find($user_id);
>
> if ($user) {
> $c->set_authenticated($c->find_user({ id => $user->email}));
> $c->flash(message => "Logged in as @{[$user->email]}");
> }
>
> return $c->res->redirect('/');
> }
>
More information about the Catalyst
mailing list