Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
On Mon, Oct 27, 2008 at 11:57:00PM -0600, Jason Kuri wrote: You can get clear passwords with no warnings by dropping SimpleDB for configuration purposes and using a 'standard' auth config that looks like this: Which hides the badness. Frankly I'd like to see -all- of authentication warn on cleartext passwords unless you add some (preferably long) config option like insecure_password_storage_ok. The best thing about this is it makes it obvious to a -maintainer- that their predecessor did this. Remember that the person who benefits from seeing that that option has been turned on may not be the person who originally turned it on. -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Directorhttp://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
* On Mon, Oct 27 2008, Thomas L. Shinnick wrote: If I explicitly override the default, by explicitly requesting 'clear', because my requirements explicitly need this ability, then I must change the code to get rid of the warning? Ahh, but it's for the 'simple', who must be guided, and can't be bothered to read the warnings in the text so bonk'em repeatedly in the logs till they mind what you say. Which is to explicitly not use the feature which you've explicitly provided? (sigh) Open the file in your text editor and remove the warning. Problem solved! You didn't even need to post to a mailing list! Regards, Jonathan Rockway -- print just = another = perl = hacker = if $,=$ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
I think a good approach is to have safer more secure defaults, and if users explicitly turn those off then have relevant warnings on by default, and if users really know what they're doing then they can explicitly turn those off. For example, users can have an explicit no_warnings_plaintext_password or some such where warnings are turned on by default and off explicitly. Generally speaking, those who know enough to handle less safe things also know enough how to ask the system to let them do those things. People who don't know well enough for one aren't likely at the same time have to know to ask the system for help in pointing out unsafe behaviour so they're in trouble if unsafe is the default. For people who do know things, having safe defaults is still good for working together with their desire to be lazy. Those who know enough to handle less safe things shouldn't be afraid to use the 'standard' auth configuration, though, wouldn't you think? You can get clear passwords with no warnings by dropping SimpleDB for configuration purposes and using a 'standard' auth config that looks like this: MyApp-config('Plugin::Authentication') = { default = { credential = { class = 'Password', password_type = 'clear' }, store = { class = 'DBIx::Class', role_relation = 'roles', role_field = 'role', use_userdata_from_session = '1', user_model = $user_model_from_simpledb_config } } }; So - why add it to the SimpleDB? Jay ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
Matt S Trout wrote: On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote: Zbigniew Lukasiak wrote: * Your passwords are stored in the 'password' field in your users table and are not encrypted. This is always a bad idea. If someone ever gets direct database access, they now know each user's mindset as to how they choose passwords This is the catalyst list, not the stating the fucking obvious list. If the purpose of SimpleDB is to make things simple for people with less clue why offer clear text as an option at all ? Since the best practice is to use hashed passwords why not be opinionated about it and not offer anything else ? Surely being opinionated is something we're good at around here ;-) S. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
From: Simon Wilcox [EMAIL PROTECTED] Matt S Trout wrote: On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote: Zbigniew Lukasiak wrote: * Your passwords are stored in the 'password' field in your users table and are not encrypted. This is always a bad idea. If someone ever gets direct database access, they now know each user's mindset as to how they choose passwords This is the catalyst list, not the stating the fucking obvious list. If the purpose of SimpleDB is to make things simple for people with less clue why offer clear text as an option at all ? Since the best practice is to use hashed passwords why not be opinionated about it and not offer anything else ? Surely being opinionated is something we're good at around here ;-) S. This is true, but in that case it should be also explained how to add and modify the hashed password in the database using the most simple method. And the most simple method could be to use the DBIC::Schema helper for creating the database schema, but in that case DBIx::Class::EncodedColumn can't be used, because DBIC::Schema helper won't be able to update the class files. A simple method could be to add something like this in the controllers, but is it a recommended way? $c-req-param(Digest::sha1_hex($c-req-param('password'))); $form-process; Octavian ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
Zbigniew Lukasiak wrote: * Your passwords are stored in the 'password' field in your users table and are not encrypted. This is always a bad idea. If someone ever gets direct database access, they now know each user's mindset as to how they choose passwords, and can subsequently login to the application as them or target them in a wider context where they may have used similar passwords elsewhere. You always want passwords in a one-way hash, and if users forget their password, you don't tell it to them, but you have them make a new one. Also reminding users of their password in an email message is also a bad idea. -- Darren Duncan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote: Zbigniew Lukasiak wrote: * Your passwords are stored in the 'password' field in your users table and are not encrypted. This is always a bad idea. If someone ever gets direct database access, they now know each user's mindset as to how they choose passwords This is the catalyst list, not the stating the fucking obvious list. -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Directorhttp://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
I made the default 'clear', as the tutorial uses 'clear' and it is the least likely to cause failure of auth for those just coming to catalyst / going through the tutorials. The password_type config option allows changing it to something more reasonable for production use. Matt and I discussed and he made the point that this module will probably get a lot of production use and it's default should probably at least attempt to prevent newbies from making bad design choices... or at least make it a bit more difficult. I must agree. As such, an updated module is on it's way to CPAN - which uses 'crypted' as the default. The documentation has been adjusted to reflect this. You can still use a password_type of 'clear' by setting it explicitly, but you _will_ get warned in your logs that it is an insecure password storage mechanism. Jay On Oct 27, 2008, at 5:18 PM, Matt S Trout wrote: On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote: Zbigniew Lukasiak wrote: * Your passwords are stored in the 'password' field in your users table and are not encrypted. This is always a bad idea. If someone ever gets direct database access, they now know each user's mindset as to how they choose passwords This is the catalyst list, not the stating the fucking obvious list. -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Directorhttp://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
At 07:13 PM 10/27/2008, Jason Kuri wrote: I made the default 'clear', as the tutorial uses 'clear' and it is the least likely to cause failure of auth for those just coming to catalyst / going through the tutorials. The password_type config option allows changing it to something more reasonable for production use. Matt and I discussed and he made the point that this module will probably get a lot of production use and it's default should probably at least attempt to prevent newbies from making bad design choices... or at least make it a bit more difficult. I must agree. As such, an updated module is on it's way to CPAN - which uses 'crypted' as the default. The documentation has been adjusted to reflect this. You can still use a password_type of 'clear' by setting it explicitly, but you _will_ get warned in your logs that it is an insecure password storage mechanism. (There's always a dissenter.) If I explicitly override the default, by explicitly requesting 'clear', because my requirements explicitly need this ability, then I must change the code to get rid of the warning? Ahh, but it's for the 'simple', who must be guided, and can't be bothered to read the warnings in the text so bonk'em repeatedly in the logs till they mind what you say. Which is to explicitly not use the feature which you've explicitly provided? (sigh) How about adding 'clear_please_please' ? (Just because I like simple doesn't mean I _am_ 'simple' - and I really do appreciate the simplicity enablers, really) Jay On Oct 27, 2008, at 5:18 PM, Matt S Trout wrote: On Mon, Oct 27, 2008 at 03:51:49PM -0700, Darren Duncan wrote: Zbigniew Lukasiak wrote: * Your passwords are stored in the 'password' field in your users table and are not encrypted. This is always a bad idea. If someone ever gets direct database access, they now know each user's mindset as to how they choose passwords This is the catalyst list, not the stating the fucking obvious list. -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Directorhttp://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/http://www.shadowcat.co.uk/servers/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
If I explicitly override the default, by explicitly requesting 'clear', because my requirements explicitly need this ability, then I must change the code to get rid of the warning? Ahh, but it's for the 'simple', who must be guided, and can't be bothered to read the warnings in the text so bonk'em repeatedly in the logs till they mind what you say. Which is to explicitly not use the feature which you've explicitly provided? (sigh) How about adding 'clear_please_please' ? (Just because I like simple doesn't mean I _am_ 'simple' - and I really do appreciate the simplicity enablers, really) Hi Thomas, I understand. The SimpleDB will only complain upon starting the app. If you really can't have the warning, you can use the 'standard' password credential and the 'normal' auth config method, you will get no warning on 'clear' as the password type. Matt suggested a way to turn off the warning also... but I am skeptical... either we hold the newbies hand and protect him from himself, and warn him if he's doing something dangerous or we happily let them shoot themselves in the foot, assuming they'll probably figure it out after the first time Seems the two options are out of sync with each other... I'm not beyond convincing... just a bit skeptical Anybody else want to weigh in... should we protect them, but allow them to throw off the comfort blankets if they say 'PLEeease'? Jay ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
Jason Kuri wrote: If I explicitly override the default, by explicitly requesting 'clear', because my requirements explicitly need this ability, then I must change the code to get rid of the warning? Ahh, but it's for the 'simple', who must be guided, and can't be bothered to read the warnings in the text so bonk'em repeatedly in the logs till they mind what you say. Which is to explicitly not use the feature which you've explicitly provided? (sigh) How about adding 'clear_please_please' ? (Just because I like simple doesn't mean I _am_ 'simple' - and I really do appreciate the simplicity enablers, really) Matt suggested a way to turn off the warning also... but I am skeptical... either we hold the newbies hand and protect him from himself, and warn him if he's doing something dangerous or we happily let them shoot themselves in the foot, assuming they'll probably figure it out after the first time Seems the two options are out of sync with each other... I'm not beyond convincing... just a bit skeptical Anybody else want to weigh in... should we protect them, but allow them to throw off the comfort blankets if they say 'PLEeease'? I think a good approach is to have safer more secure defaults, and if users explicitly turn those off then have relevant warnings on by default, and if users really know what they're doing then they can explicitly turn those off. For example, users can have an explicit no_warnings_plaintext_password or some such where warnings are turned on by default and off explicitly. Generally speaking, those who know enough to handle less safe things also know enough how to ask the system to let them do those things. People who don't know well enough for one aren't likely at the same time have to know to ask the system for help in pointing out unsafe behaviour so they're in trouble if unsafe is the default. For people who do know things, having safe defaults is still good for working together with their desire to be lazy. -- Darren Duncan ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy
Hey all, Catalyst authentication configuration just got a whole lot easier. I just released two updates to CPAN that will make Auth configuration much much easier for the 'average' case where you have user data stored in an SQL database and you are using passwords for authentication. Now, the 'basic' config using plaintext passwords looks like this: __PACKAGE__-config-{'Plugin::Authentication'} = { default = { class = 'SimpleDB', user_class = 'MyApp::User', } } For the 'basic' config using a hashed password - just a bit more complex: __PACKAGE__-config-{'Plugin::Authentication'} = { default = { class = 'SimpleDB', user_class = 'MyApp::User', password_type = 'hashed', password_hash_type = 'SHA1' } } Hopefully, people will not find this config overwhelming. :-) For those who are interested, the custom configuration is accomplished by using a custom Realm, SimpleDB, which is part of the most recent Catalyst::Authentication::Store::DBIx::Class dist. A lot of flexibility can be gained in configuration and functionality by creating custom Realms. This is just one example. The modules are available (or will be soon) at: http://search.cpan.org/~jayk/Catalyst-Authentication-Store-DBIx-Class-0.108/lib/Catalyst/Authentication/Realm/SimpleDB.pm ( A preview of the docs are available here: http://scsys.co.uk:8001/19881 ) and http://search.cpan.org/~jayk/Catalyst-Plugin-Authentication-0.10008/ If anyone has any questions or comments, please reply to this email, or find me on #catalyst. I am also soliciting anyone who is willing to take a crack at simplifying the Auth section of the Catalyst tutorial by using this module, as I think most users are looking to do exactly this type of config when they first approach Catalyst and are reading the Tutorial. Any volunteers? JayK ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/