Some quick notes:

• I noticed Authen::Users, which seems like the only existing attempt at this
• I'd separate Authentication and Authorization if I were you (think /etc/passwd and /etc/group)
• I wouldn't bother with performing authentication; Authen::Simple is a nice API for that, and there are hundreds of other modules and frameworks that already provide that service. Restrict yourself to managing the auth data, because that seems to be the one thing that's still missing on CPAN

At first, I had some reservations against must(), and can(), but if you do drop performing auth, then those would be moot :) If you do want to implement it, I'd suggest must_have_role() and has_role() (or maybe may() or something like that, but can() is already used for OO purposes, and carries too much of that meaning).

Bottom line: I'd like to see a nice framework for user and role data management. I don't know if it'll be easy for you to make it such that it can target PAM, SASL, Kerberos, Active Directory etc., but I bet there's demand for such a beast.

Update: I rummaged around CPAN some more, and found Aut. Seems fairly similar to your scope. There's also Tree::Authz, which looks fairly comprehensive as well. If you haven't done so yet (but I bet you have), I recommend searching CPAN for "authentication" and/or "authorization". There's a lot to wade through, but that'll give you a good idea what's out there, and what's still missing.

Good ideas. I just want to make sure I don't run into the "too many options" problem while trying to get around it. Basicaly I just want a place I can start, and then link to the other modules that do better or have better options. In addition I'm not sure how i'd go about making a program dynamic enough to be able to write to all of those different authentication systems. So I was hoping to make an Authentication/Authorization System in a box, then point people to more powerfull solutions that could be customized to different needs. Does that make more sense? Kinda user managment with training wheels, i'd fully expect people to ditch the training wheels eventualy, but some projects never get off the ground enough to worry about that. At least thats been my experience, which is why i'm meditating on this, to see if i'm alone or if others have similar experiences. ;)


___________
Eric Hodges

I can sympathise with you not wanting to aim too high just yet :)

The typical solution to talking to different backends is usually by adding a driver layer (similar to the DBD::* modules for DBI). I've been browsing through the source for Authen::Simple, and the basic design looks very good. It uses Adaptor classes which implement the backend-store specific code behind the public, common API. It may be too abstract for your needs, but I think I can recommend it. It's interesting and educational at least :)

First of all: don't use functions to create objects. Use a class method. It's much more consistent, and I'm sure, more easy to implement — why import constructors into your subclass?

So: change

# Loads user information, logs users in and out, controls cookies
my $user = My::Authentication::load();
[download]

# Loads user information, logs users in and out, controls cookies
my $user = My::Authentication->load;
[download]

More examples:

#allow user administration. (for registration etc)
My::Authentication::add_user($username, $password, { #hash to store da
+ta }, [ roles ]);
My::Authentication::del_user($username);
[download]

#allow user administration. (for registration etc)
My::Authentication->add_user($username, $password, { #hash to store da
+ta }, [ roles ]);
My::Authentication->del_user($username);
[download]

#allow user administration. (for registration etc)
my $suspect = My::Authentication->add_user($username, $password, { #ha
+sh to store data });
$suspect->add_roles(roles);
[download]

Second: I think you're having too many similar functions with related names. I prefer overloading. I think the default for require or must or whatever you call it (I prefer "require" over "must") should be to redirect to the login page, which you can optimally specify, if the user is not logged in and return a "forbidden" status if he is logged in but too low. Something like:

# Loads user information, logs users in and out, controls cookies
my $user = My::Authentication->load;

# require a user to be an admin or redirect them to the login page
$user->require('admin');

# require a user to be an admin or redirect them to a specific page
$user->require('admin', '/login.html');

# require a user to be an admin, or give them an "Access denied page"
$user->require('admin', undef);
[download]

Well, it could be nice if a user could "upgrade" to a more powerful user, when access is denied.

Oh, and for the sake of a good user experience: please remember what page the user tried to access when forced to log in. I hate it when on a webforum, the damn think forgets that I intended to comment on a post when it forces me to log in first. Please make it go back to where I wanted to go in the first place.

Well, this surely isn't the final API spec, it definitely needs some more hammering.

Hey, Thanks for the input. Yea i started with something that looked like that, but then thought it was confusing to have one require do so much, but the way you did it makes it easy, and looks right. Redirect to undef is pretty obvious an "error" page of some sort. I like it, and other changes welcome too, thats why i shoved it up here!


___________
Eric Hodges

I would make

$admin->add_user(...);
[download]

so that the user who wants to add another has to login! And possibly remember which user was created from whom. But My::Authentication->add_role($role) is ok.

For the role-based authorization, the access control list approach has real merit. It ties together some resource (actually a Catalyst action with a role) and provide for automatic "You are not allowed to access this page" replies.

So the first part of your project is already written (well at least within Catalyst's little world). Now if you could tie in your user-management to the Catalyst plugins and have it discover and service the actual back-end stores used, that would surely make it a winning module.

The more I look at this the more it seems like we need a DBI-esq (as in a general API with several backends) for querying AND maintaining user/role/group data. Authen::Simple is half way there with the query interface but it doesn't provide a way to update the backend. Then my project would be a simple application based on this Auth.* API. But then I wonder if those different backends provide ways to be updated via Perl. For instance the POP3 backend is easy to query but doesn't provide a way to update it.

Perhaps I look more into expanding the existing modules to allow updateing of the data in a consisten manner, and then build my application/module on top of that.

I could always start with just a single DBI based driver layer and let others expand it to other auth.* systems


___________
Eric Hodges

Whatever you name this, you might consider not stomping on the namespace. I assume you'll make a typical role or group based system. Someone else might come by later and make a capability based system to solve your Confused Deputy Problem and it'd be nice if there were a place in the namespace for them to live.

I agree with everything else, but I would suggest against...
o making it tied to CGI (or perhaps have My::Auth::CGI for that purpose).
o forcing the user (programmer) to use the modules own authentication system (perhaps make it optional, for convenience, though) - possibly authenticate a user with $user->authenticate(1), etc - this lets the user authenticate their users however they want (and takes some load off your hands ;-) )

That's all I can think of for now. I'm keen to see this finished :-)