/usr/include/Wt/Auth/PasswordService is in libwt-dev 3.3.0-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 | // This may look like C code, but it's really -*- C++ -*-
/*
* Copyright (C) 2011 Emweb bvba, Kessel-Lo, Belgium.
*
* See the LICENSE file for terms of use.
*/
#ifndef WT_AUTH_PASSWORD_AUTH_H_
#define WT_AUTH_PASSWORD_AUTH_H_
#include <Wt/WValidator>
#include <Wt/Auth/AbstractPasswordService>
namespace Wt {
namespace Auth {
/*! \class PasswordService Wt/Auth/PasswordService Wt/Auth/PasswordService
* \brief Password authentication service
*
* This class implements password authentication.
*
* Like all <b>service classes</b>, this class holds only
* configuration state. Thus, once configured, it can be safely shared
* between multiple sessions since its state (the configuration) is
* read-only.
* \if cpp
* A "const PasswordService" object is thus thread-safe.
* \endif
*
* Passwords are (usually) saved in the database using salted hash
* functions. The process of computing new hashes, and verifying them
* is delegated to an AbstractVerifier.
*
* The authentication class may be configured to enable password
* attempt throttling. This provides protection against brute force
* guessing of passwords. When throttling is enabled, new password
* attempts are refused until the throttling period is finished.
*
* Password strength validation of a new user-chosen password may be
* implemented by setting an AbstractStrengthValidator.
*
* \ingroup auth
*/
class WT_API PasswordService : public AbstractPasswordService
{
public:
/*! \class AbstractVerifier
* \brief Abstract password hash computation and verification class
*
* This class defines the interface for verifying a passwords against
* password hashes, or computing a new password hash for a password.
*
* \sa setVerifier()
*/
class AbstractVerifier
{
public:
/*! \brief Destructor.
*/
virtual ~AbstractVerifier();
/*! \brief Returns whether a password hash needs to be updated (recomputed).
*
* A \p hash may need to be updated if it has been computed with a
* cryptographic method that is being disfavoured.
*/
virtual bool needsUpdate(const PasswordHash& hash) const = 0;
/*! \brief Computes the password hash for a clear text password.
*
* This must return a hash that can later be used to verify the
* user's password, but which avoids compromising the user's password
* in case of loss.
*/
virtual PasswordHash hashPassword(const WString& password) const = 0;
/*! \brief Verifies a password against a hash.
*
* This returns whether the given password matches with the user's
* credentials stored in the hash.
*/
virtual bool verify(const WString& password, const PasswordHash& hash) const
= 0;
};
/*! \brief Constructor.
*
* Creates a new password authentication service, which depends on the
* passed basic authentication service.
*/
PasswordService(const AuthService& baseAuth);
/*! \brief Destructor.
*/
virtual ~PasswordService();
/*! \brief Returns the basic authentication service.
*/
virtual const AuthService& baseAuth() const { return baseAuth_; }
/*! \brief Sets a password verifier which computes authorization checks.
*
* The password verifier has as task to verify an entered password
* against a password hash stored in the database, and also to create
* or update a user's password hash.
*
* The default password verifier is \c 0.
*
* The service takes ownership of the verifier.
*
* \sa verifyPassword(), updatePassword()
*/
void setVerifier(AbstractVerifier *verifier);
/*! \brief Returns the password verifier.
*
* \sa setVerifier()
*/
AbstractVerifier *verifier() const { return verifier_; }
/*! \brief Sets a validator which computes password strenght.
*
* The default password strenght validator is \c 0.
*
* The service takes ownership of the validator.
*/
void setStrengthValidator(AbstractStrengthValidator *validator);
/*! \brief Returns the password strength validator.
*
* \sa setStrengthValidator()
*/
virtual AbstractStrengthValidator *strengthValidator() const
{ return validator_; }
/*! \brief Configures password attempt throttling.
*
* When password throttling is enabled, new password verification
* attempts will be refused when the user has had too many
* unsuccessful authentication attempts in a row.
*
* The exact back-off schema can be customized by specializing
* getPasswordThrottle().
*/
void setAttemptThrottlingEnabled(bool enabled);
/*! \brief Returns whether password attempt throttling is enabled.
*
* \sa setAttemptThrottlingEnabled()
*/
virtual bool attemptThrottlingEnabled() const { return attemptThrottling_; }
/*! \brief Returns the delay for this user for a next authentication
* attempt.
*
* \copydetails AbstractPasswordService::delayForNextAttempt()
*
* \sa setAttemptThrottlingEnabled(), getPasswordThrottle()
*/
virtual int delayForNextAttempt(const User& user) const;
/*! \brief Verifies a password for a given user.
*
* \copydetails AbstractPasswordService::verifyPassword()
*
* \sa setVerifier(), setAttemptThrottlingEnabled()
*/
virtual PasswordResult verifyPassword(const User& user,
const WT_USTRING& password) const;
/*! \brief Sets a new password for the given user.
*
* This stores a new password for the user in the database.
*/
virtual void updatePassword(const User& user, const WT_USTRING& password)
const;
protected:
/*! \brief Returns how much throttle should be given considering a number of
* failed authentication attempts.
*
* The returned value is in seconds.
*
* The default implementation returns the following:
* - failedAttempts == 0: 0
* - failedAttempts == 1: 1
* - failedAttempts == 2: 5
* - failedAttempts == 3: 10
* - failedAttempts > 3: 25
*/
virtual int getPasswordThrottle(int failedAttempts) const;
private:
PasswordService(const PasswordService&);
const AuthService& baseAuth_;
AbstractVerifier *verifier_;
AbstractStrengthValidator *validator_;
bool attemptThrottling_;
};
}
}
#endif // WT_AUTH_PASSWORD_AUTH
|