Dancer::Plugin::Auth::Basic 0.02

I recently noticed that my Dancer plugin implementing basic HTTP authentication received a miserable 2-star review on CPAN Ratings. The reviewer pointed out that the plugin expects passwords to be written in cleartext in configuration files, which is a really bad security practice.

My first reaction was “oh come on, this is basic HTTP authentication, it’s insecure anyway and nobody would use it for any serious purpose”. But then I thought that it is, in fact, valid criticism. While I can’t do anything about the security of the authentication protocol itself (maybe except for advising people to only use it with SSL), this doesn’t mean that I shouldn’t follow the best security practices in those areas that are under my control, and how passwords are stored is one of them.

I modified the plugin to add support for hashed passwords in configuration files — it was really easy thanks to the Authen::Passphrase module, which provides an unified interface to a number of different passphrase schemes. So now you can keep your basic HTTP password secured using SHA-1, salted MD5, Blowfish, or any other scheme supported by Authen::Passphrase. Cleartext passwords still work, so backwards compatibility is maintained.

Hey, I expect at least 4.5 stars now.


Leave a Reply