[Catalyst] Behaviour of Catalyst::Plugin::Authentication

[Alex Povolotsky]

Jochen Luig wrote:
> Hi,
>
> I stumbled upon a feature of the Authentication Plugin today
> (Yes I was the guy who used Ash's cardboard cutout programmer service 
> earlier today on #catalyst, so thanks again, Ash ;-)
>
> My configuration was something like this:
>
> authentication:
>  default_realm: users
>  realms:
>   users:
>    credential:
>     class: Password
>     user_field: login
>     password_field: password
>     password_type: clear
>    store:
>     class: DBIx::Class
>     user_class: MyAppDB::Users
>     role_class: MyAppDB::Roles
>     role_field: title
>     role_relation: user_roles
>     user_role_user_field: user_id
>
> but the $userinfo hash I passed to the authenticate() method looked 
> like this
>
> my $userinfo = { username => $login, password => $password}
>
> Thus, Catalyst logged in the first user in the MyAppDB::Users table if I
> provided the correct password regardless of what I supplied as a login 
> (ok, the latter is obvious).
> Does the plugin try to DWIM by using the first user it happens to 
> stumble upon and using his primary key as the login field? This is what
> I suspect because the (test-)user in question happened to have "1" as
> his primary key as well as in the 'login'-column.
>
> Maybe this is because of my limited idea of what $userinfo can be, but
> wouldn't a warning be suitable in such a case?
>   

It is A Feature. You've messed with parameters, username in userinfo, 
login in credential. my $userinfo = { login => $login, password => 
$password} will cure.

Alex.