NAME
Ado::Plugin::Auth - Passwordless user authentication for Ado
SYNOPSIS
#in etc/ado.$mode.conf
plugins =>[
#...
'auth',
#...
],
#in etc/plugins/auth.$mode.conf
{
#methods which will be displayed in the "Sign in" menu
auth_methods => ['ado', 'facebook', 'google'],
providers => {
google => {
key =>'123456789....apps.googleusercontent.com',
secret =>'YourSECR3T',
scope=>'profile email',
info_url => 'https://www.googleapis.com/userinfo/v2/me',
},
facebook => {
key =>'123456789',
secret =>'123456789abcdef',
scope =>'public_profile,email',
info_url => 'https://graph.facebook.com/v2.2/me',
},
}
}
DESCRIPTION
Ado::Plugin::Auth is a plugin that authenticates users to an Ado system. Users can be authenticated via Google, Facebook, locally and in the future other authentication service-providers.
Note that the user's pasword is never sent over the network. When using the local authentication method (ado) a digest is prepared in the browser using JavaScript. The digest is sent and compared on the server side. The digest is different in every POST request. The other authentication methods use the services provided by well known service providers like Google, Facebook etc. To use external authentication providers the module Mojolicious::Plugin::OAuth2 needs to be installed.
CONFIGURATION
The following options can be set in etc/plugins/auth.$mode.conf
. You can find default options in etc/plugins/auth.conf
.
auth_methods
This option will enable the listed methods (services) which will be used to authenticate a user. The services will be listed in the specified order in the partial template authbar.html.ep
that can be included in any other template on your site.
#in etc/plugins/auth.$mode.conf
{
#methods which will be displayed in the "Sign in" menu
auth_methods => ['ado', 'google'],
}
providers
A Hash reference with keys representing names of providers (same as auth_methods) and values, containing the configurations for the specific providers. This option will be merged with already defined providers by Mojolicious::Plugin::OAuth2. Add the rest of the needed configuration options to auth.development.conf or auth.production.conf only because this is highly sensitive and application specific information.
#Example for google:
google =>{
#client_id
key =>'123456654321abcd.apps.googleusercontent.com',
secret =>'Y0uRS3cretHEre',
scope=>'profile email',
info_url => 'https://www.googleapis.com/userinfo/v2/me',
},
routes
Currently defined routes are described in "ROUTES".
CONDITIONS
Ado::Plugin::Auth provides the following conditions to be used by routes. To find more about conditions read "Conditions" in Mojolicious::Guides::Routing.
authenticated
Condition for routes used to check if a user is authenticated.
# add the condition programatically
$app->routes->route('/ado-users/:action', over => {authenticated=>1});
$app->routes->route('/ado-users/:action',
over => [authenticated => 1, ingroup => 'admin']
);
#in etc/ado.$mode.conf or etc/plugins/foo.$mode.conf
routes => [
#...
{
route => '/ado-users/:action:id',
via => [qw(PUT DELETE)],
# only authenticated users can edit and delete users,
# and only if they are authorized to do so
over => [authenticated => 1, ingroup => 'admin'],
to =>'ado-users#edit'
}
],
ingroup
Checks if a user is in the given group. Returns true or false.
# in etc/plugins/routes.conf or etc/plugins/foo.conf
{
route => '/vest',
via => ['GET'],
to => 'vest#screen',
over => [authenticated => 1, ingroup => 'foo'],
}
# programatically
$app->routes->route('/ado-users/:action', over => {ingroup => 'foo'});
HELPERS
Ado::Plugin::Auth provides the following helpers for use in Ado::Control methods and templates.
login_ado
Finds and logs in a user locally. Returns true on success, false otherwise.
login_google
Called via /login/google
. Finds an existing user and logs it in via Google. Creates a new user if it does not exist and logs it in via Google. The new user can login via any supported OAuth2 provider as long as it has the same email. The user can not login using Ado local authentication because he does not know his password, which is randomly generated. Returns true on success, false otherwise.
login_facebook
Called via /login/facebook
. Finds an existing user and logs it in via Facebook. Creates a new user if it does not exist and logs it in via Facebook. The new user can login via any supported Oauth2 provider as long as it has the same email. The user can not login using Ado local authentication because he does not know his password, which is randomly generated. Returns true on success, false otherwise.
HOOKS
Ado::Plugin::Auth emits the following hooks.
after_login
In your plugin you can define some functionality to be executed right after a user has logged in. For example add some links to the adobar template, available only to logged-in users. Only the controller $c
is passed to this hook.
#example from Ado::Plugin::Admin
$app->hook(
after_login => sub {
push @{shift->session->{adobar_links} //= []},
{icon => 'dashboard', href => '/ado', text => 'Dashboard'};
}
);
after_user_add
$app->hook(after_user_add => sub {
my ($c, $user, $raw_data) = @_;
my $group = $user->add_to_group(ingroup=>'vest');
...
});
In your plugin you can define some functionality to be executed right after a user is added. For example add a user to a group after registration. Passed the controller, the newly created $user
and the $raw_data used to create the user.
ROUTES
Ado::Plugin::Auth provides the following routes (actions):
/authorize/:auth_method
Redirects to an OAuth2 provider consent screen where the user can authorize Ado to use his information or not. Currently Ado supports Facebook and Google.
/login
/login/ado
If accessed using a GET
request displays a login form. If accessed via POST
performs authentication using ado
system database, and emits the hook "after_login".
/login/facebook
Facebook consent screen redirects to this action. This action is handled by "login_facebook".
/login/google
Google consent screen redirects to this action. This action is handled by "login_google".
/logout
Expires the session and redirects to the base URL.
$c->logout();
TEMPLATES
Ado::Plugin::Auth uses the following templates. The paths are in the /templates
folder. Feel free to move them to the site_templates folder and modify them for your needs.
partials/authbar.html.ep
Renders a menu dropdown for choosing methods for signing in.
partials/login_form.html.ep
Renders a Login form to authenticate locally.
login.html.ep
Renders a page containing the login form above.
METHODS
Ado::Plugin::Auth inherits all methods from Ado::Plugin and implements the following new ones.
register
This method is called by $app->plugin
. Registers the plugin in Ado application and merges authentication configuration from $MOJO_HOME/etc/ado.conf
with settings defined in $MOJO_HOME/etc/plugins/auth.conf
. Authentication settings defined in plugins/auth.$mode.conf
will override those defined in plugins/auth.conf
. Authentication settings defined in ado.conf
will override both.
TODO
The following authentication methods are in the TODO list: linkedin, github. Others may be added later. Please help by implementing authentication via more providers.
SEE ALSO
Mojolicious::Plugin::OAuth2, Ado::Plugin, Ado::Manual::Plugins, Mojolicious::Plugins, Mojolicious::Plugin, "Conditions" in Mojolicious::Guides::Routing
AUTHOR
Красимир Беров (Krasimir Berov)
COPYRIGHT AND LICENSE
Copyright 2014-2016 Красимир Беров (Krasimir Berov).
This program is free software, you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License v3 (LGPL-3.0). You may copy, distribute and modify the software provided that modifications are open source. However, software that includes the license may release under a different license.
See http://opensource.org/licenses/lgpl-3.0.html for more information.