This file is indexed.

/usr/include/Wt/Auth/PasswordService is in libwt-dev 3.3.0-1build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
// This may look like C code, but it's really -*- C++ -*-
/*
 * Copyright (C) 2011 Emweb bvba, Kessel-Lo, Belgium.
 *
 * See the LICENSE file for terms of use.
 */
#ifndef WT_AUTH_PASSWORD_AUTH_H_
#define WT_AUTH_PASSWORD_AUTH_H_

#include <Wt/WValidator>
#include <Wt/Auth/AbstractPasswordService>

namespace Wt {
  namespace Auth {

/*! \class PasswordService Wt/Auth/PasswordService Wt/Auth/PasswordService
 *  \brief Password authentication service
 *
 * This class implements password authentication.
 *
 * Like all <b>service classes</b>, this class holds only
 * configuration state. Thus, once configured, it can be safely shared
 * between multiple sessions since its state (the configuration) is
 * read-only. 
 * \if cpp 
 * A "const PasswordService" object is thus thread-safe.
 * \endif
 *
 * Passwords are (usually) saved in the database using salted hash
 * functions. The process of computing new hashes, and verifying them
 * is delegated to an AbstractVerifier.
 *
 * The authentication class may be configured to enable password
 * attempt throttling. This provides protection against brute force
 * guessing of passwords. When throttling is enabled, new password
 * attempts are refused until the throttling period is finished.
 *
 * Password strength validation of a new user-chosen password may be
 * implemented by setting an AbstractStrengthValidator.
 *
 * \ingroup auth
 */
class WT_API PasswordService : public AbstractPasswordService
{
public:
  /*! \class AbstractVerifier
   *  \brief Abstract password hash computation and verification class
   *
   * This class defines the interface for verifying a passwords against
   * password hashes, or computing a new password hash for a password.
   *
   * \sa setVerifier()
   */
  class AbstractVerifier
  {
  public:
    /*! \brief Destructor.
     */
    virtual ~AbstractVerifier();

    /*! \brief Returns whether a password hash needs to be updated (recomputed).
     *
     * A \p hash may need to be updated if it has been computed with a
     * cryptographic method that is being disfavoured.
     */
    virtual bool needsUpdate(const PasswordHash& hash) const = 0;

    /*! \brief Computes the password hash for a clear text password.
     *
     * This must return a hash that can later be used to verify the
     * user's password, but which avoids compromising the user's password
     * in case of loss.
     */
    virtual PasswordHash hashPassword(const WString& password) const = 0;

    /*! \brief Verifies a password against a hash.
     *
     * This returns whether the given password matches with the user's
     * credentials stored in the hash.
     */
    virtual bool verify(const WString& password, const PasswordHash& hash) const
      = 0;
  };

  /*! \brief Constructor.
   *
   * Creates a new password authentication service, which depends on the
   * passed basic authentication service.
   */
  PasswordService(const AuthService& baseAuth);

  /*! \brief Destructor.
   */
  virtual ~PasswordService();

  /*! \brief Returns the basic authentication service.
   */
  virtual const AuthService& baseAuth() const { return baseAuth_; }

  /*! \brief Sets a password verifier which computes authorization checks.
   *
   * The password verifier has as task to verify an entered password
   * against a password hash stored in the database, and also to create
   * or update a user's password hash.
   *
   * The default password verifier is \c 0.
   *
   * The service takes ownership of the verifier.
   *
   * \sa verifyPassword(), updatePassword()
   */
  void setVerifier(AbstractVerifier *verifier);

  /*! \brief Returns the password verifier.
   *
   * \sa setVerifier()
   */
  AbstractVerifier *verifier() const { return verifier_; }

  /*! \brief Sets a validator which computes password strenght.
   *
   * The default password strenght validator is \c 0.
   *
   * The service takes ownership of the validator.
   */
  void setStrengthValidator(AbstractStrengthValidator *validator);

  /*! \brief Returns the password strength validator.
   *
   * \sa setStrengthValidator()
   */
  virtual AbstractStrengthValidator *strengthValidator() const
    { return validator_; }

  /*! \brief Configures password attempt throttling.
   *
   * When password throttling is enabled, new password verification
   * attempts will be refused when the user has had too many
   * unsuccessful authentication attempts in a row.
   *
   * The exact back-off schema can be customized by specializing
   * getPasswordThrottle().
   */
  void setAttemptThrottlingEnabled(bool enabled);

  /*! \brief Returns whether password attempt throttling is enabled.
   *
   * \sa setAttemptThrottlingEnabled()
   */
  virtual bool attemptThrottlingEnabled() const { return attemptThrottling_; }

  /*! \brief Returns the delay for this user for a next authentication
   *         attempt.
   *
   * \copydetails AbstractPasswordService::delayForNextAttempt()
   *
   * \sa setAttemptThrottlingEnabled(), getPasswordThrottle()
   */
  virtual int delayForNextAttempt(const User& user) const;

  /*! \brief Verifies a password for a given user.
   *
   * \copydetails AbstractPasswordService::verifyPassword()
   *
   * \sa setVerifier(), setAttemptThrottlingEnabled()
   */
  virtual PasswordResult verifyPassword(const User& user,
					const WT_USTRING& password) const;

  /*! \brief Sets a new password for the given user.
   *
   * This stores a new password for the user in the database.
   */
  virtual void updatePassword(const User& user, const WT_USTRING& password)
    const;

protected:
  /*! \brief Returns how much throttle should be given considering a number of
   *         failed authentication attempts.
   *
   * The returned value is in seconds.
   *
   * The default implementation returns the following:
   * - failedAttempts == 0: 0
   * - failedAttempts == 1: 1
   * - failedAttempts == 2: 5
   * - failedAttempts == 3: 10
   * - failedAttempts > 3: 25
   */
  virtual int getPasswordThrottle(int failedAttempts) const;

private:
  PasswordService(const PasswordService&);

  const AuthService& baseAuth_;
  AbstractVerifier *verifier_;
  AbstractStrengthValidator *validator_;
  bool attemptThrottling_;
};

  }
}

#endif // WT_AUTH_PASSWORD_AUTH