RedX::HashedPassword
A facility to allow the Red ORM to store and use hashed passwords in the database.
Synopsis
use Red;
use RedX::HashedPassword;
model User {
has Int $.id is serial;
has Str $.username is column;
has Str $.password is password handles <check-password>;
}
...
User.^create( username => 'user', password => 'password'); # password is saved as a hash
...
my User $user = User.^rs.first( *.username eq 'user' );
$user.check-password('password'); # True
Description
This provides a mechanism for Red to store a password
as a cryptographic hash in the database, such that someone who gains access to the
database cannot see the plain text password that may have been entered by a user.
The primary interface provided is the is password
trait that should be
applied to the column attribute in your model definition that you want to store the
hashed password in, this takes care of hashing the password before it is stored in
the database, on retrieval ("inflation") it also applies a role that provides a method
check-password
that checks a provided plaintext password against the stored hash.
You can make this appear to be a method of your (for example,) User model by applying
the handles <check-password>
trait to your column attribute.
The hashing algorithm used will be the best one provided by
Crypt::AnyPasswordHash
which has two implications, firstly the default provider is
Crypt::Libcrypt if no
other supported hashing module is installed, this will attempt to use the
mechanism suggested by the libcrypt
but if this can't be determined,
it will fall back to SHA-512 which seems to be the best commonly provided
algorithm, except on MacOS
where the libcrypt
only appears to support
the "heritage" DES algorithm - which has been considered insecure for most
of this century, so you probably don't want to use this in production
on MacOS for the timebeing without installing one of the other modules
supported by Crypt::AnyPasswordHash
. The second implication is that,
if you are going to access the hashed password from multiple hosts,
you should ensure that you have the same hashing module installed on
all the hosts in order that they can all verify the same methods.
Installtion
Assuming you have a working Rakudo installation then you can install this with zef:
zef install RedX::HashedPassword
# or from a local copy
zef install .
The module requires at least v0.1.0 of Crypt::Libcrypt
so you may want to upgrade that first if you already have it installed.
Support
Suggestions/patches are welcomed via github at:
https://github.com/jonathanstowe/RedX-HashedPassword/issues
Ideally there should be a better choice of hashing algorithm from those
provided by the OS and installed modules, this will come after the initial
release.
Licence
This is free software.
Please see the LICENCE file in the distribution
© Jonathan Stowe 2019 - 2021