{ $description "Wraps a responder in a protected responder. Access to the wrapped responder will be conditional upon the client authenticating with the current authentication realm." } ;
HELP:>>encoded-password
{ $values { "user" user } { "string"string } }
{ $description "Sets the user's password by combining it with a random salt and encoding it with the current authentication realm's checksum." } ;
HELP:capabilities
{ $var-description "Global variable holding all defined capabilities. New capabilities may be defined with " { $link define-capability } "." } ;
{ $description "Checks a username/password pair with the current authentication realm. Outputs a user if authentication succeeded, otherwise outputs " { $link f } "." } ;
HELP:define-capability
{ $values { "word" symbol } }
{ $description "Defines a new capability by adding it to the " { $link capabilities } " global variable." } ;
HELP:encode-password
{ $values
{ "string"string } { "salt"integer }
{ "bytes" byte-array }
}
{ $description "Encodes a password with the current authentication realm's checksum." } ;
HELP:have-capabilities?
{ $values
{ "capabilities""a sequence of capabilities" }
{ "?""a boolean" }
}
{ $description "Tests if the currently logged-in user possesses the given capabilities." } ;
HELP:logged-in-user
{ $var-description "Holds the currently logged-in user." } ;
HELP:login-required
{ $values
{ "description"string } { "capabilities""a sequence of capabilities" }
}
{ $description "Redirects the client to a login page." } ;
"Every user in the authentication framework has a set of associated capabilities."
$nl
"Defining new capabilities:"
{ $subsection define-capability }
"Capabilities are stored in a global variable:"
{ $subsection capabilities }
"Protected resources can be restricted to users possessing certain capabilities only by storing a sequence of capabilities in the " { $slot "capabilities" } " slot of a " { $link protected } " instance.";
{ { $slot "checksum" } { "An implementation of the checksum protocol used for verifying passwords (see " { $link "checksums" } "). The " { $link sha-256 } " checksum is used by default." } }
{ { $slot "secure" } { "A boolean, that when set to a true value, forces the client to access the authentication realm via HTTPS. An attempt to access the realm via HTTP results in a redirect to the corresponding HTTPS URL. On by default." } }
"The " { $vocab-link "furnace.auth" } " framework looks up users using an authentication provider. Different authentication providers can be swapped in to implement various authentication strategies."
$nl
"Each authentication realm has a provider stored in the " { $slot "users" } " slot. The default provider is " { $link users-in-db } "."
"Vocabularies having names prefixed by " { $code "furnace.auth.features" } " implement optional features which can be enabled by calling special words. These words define new actions on an authentication realm."
"Authentication realms need to be configured after construction."
{ $subsection "furnace.auth.realm-config" } ;
ARTICLE: "furnace.auth.users""User profiles"
"A responder wrapped in an authentication realm may access the currently logged-in user,"
{ $subsection logged-in-user }
"as well as the logged-in username:"
{ $subsection username }
"Values can also be stored in user profile variables:"
{ $subsection uget }
{ $subsection uset }
{ $subsection uchange }
"User profile variables have the same restrictions on their values as session variables; see " { $link "furnace.sessions.serialize" } " for a discussion.";
"The " { $vocab-link "webapps.todo" } " vocabulary wraps all of its responders in a protected responder. The " { $slot "description" } " slot is set so that the login page contains the message “You must log in to view your todo list”:"
"The " { $vocab-link "webapps.wiki" } " vocabulary defines a mix of protected and unprotected actions. One example of a protected action is that for deleting wiki pages, an action normally reserved for administrators. This action is protected with the following code:"
