[dancer-users] Problem with D::P::A::E::Provider::Base.pm

Rick Bragg rbragg at gmnet.net
Tue Dec 11 01:57:15 GMT 2012

Hi everyone!

I really like what I see in Dancer::Plugin::Auth::Extensible, however, there is a
real problem in the Provider::Base.pm match_password() sub, and the solution would
probably break some current (poorly implemented) sites.

First, it is hard coded to use "Crypt::SaltedHash->validate($correct, $given)" for
validation, (not to mention It does not even let you set the salt length so it
defaults to 4) then to my horror, if that fails, it tries to match it in plain
text!  Yikes!

The reason this is really bad is that at the back end where user validation is
concerned, there should be NO guessing and helping from the scrip! This sub should
not try to help out at all.  I would argue there should be no option for plain text
period.  You should also have to specify the hashing module you want (i.e.
Dancer::Plugin::Passphrase; Crypt::SaltedHash; etc... (in case one is compromised,
or just outdated you could switch to another at will)  And you should have to
specify the algorithm to use.  There should never be defaults here.  It should just
fail if this stuff is not specified period.

One thing I like to be able to do is set the password in a user's account to '', or
'1' or '0' or anything as a really quick way to force the user to reset their
password because they would NEVER be able to log in with that.  The way it is now,
you have to set a random string and hash it or something crazy...

I'm willing to help out however I can because I'm re-writing a fairly large site
(from Interchange) and I don't want to write lots of patch code on top when things
should be done at the modules.  My time is short, and I'm really hurting for cash,
but let me know if there is anything I can do to help.

Again, I really like what I'm seeing in D::P::A::E and in Dancer overall!!

Rick Bragg

More information about the dancer-users mailing list