Authentication bug?

Jos I. Boumans jos at
Thu Aug 7 11:50:29 UTC 2008

On 06 Aug 2008, at 19:34, Artur Bergman wrote:

> AFAIR if you return from a hook like that, it is supposed to  
> terminate the hook chain and proceed.
> So in this case, as long as the password matches when  
> StaticPassword returns, then you are good to go.
> Solution would be not to use StaticPassword

After a short IM conversation, it turns out that this is more a  
documentation issue and
perhaps needing a slight tweak to AllowedUsers (to also register a  
GetPassword hook) rather
than a serious issue.

I suggest the below text as a doc patch to explain the situation.  
Please correct me if my
assumptions are wrong:

=== lib/DJabberd/Authen/
--- lib/DJabberd/Authen/       (revision 6909)
+++ lib/DJabberd/Authen/       (local)
@@ -7,13 +7,31 @@
      $self->{password} = $pass;

+# If can_retrieve_cleartext is set to true,
+# will register the GetPassword hook.
+# That hook is then called from when a password
+# needs to be checked.
+# The hook then invokes the get_password routine below,
+# which will return the static password and return it via
+# the ->set method on the callback.
+# will then validate that password and accept/reject
+# it. This means no other hooks will get called in this chain.
+# Also, none of the CheckCleartext/CheckDigest hooks will be
+# called.
+# See the documentation in HookDocs about 'GetPassword' for
+# more details.
  sub can_retrieve_cleartext { 1 }

+# will be called if can_retrieve_cleartext returns 1
  sub get_password {
      my ($self, $cb, %args) = @_;

+# will be called if can_retrieve_cleartext returns 0
  sub check_cleartext {
      my ($self, $cb, %args) = @_;
      if ($args{password} eq $self->{password}) {
=== lib/DJabberd/
--- lib/DJabberd/    (revision 6909)
+++ lib/DJabberd/    (local)
@@ -19,9 +19,9 @@
  $hook{'filter_incoming_server'} = {};
  $hook{'switch_incoming_server'} = {};

+# q[ ] since we use ' and non-interpolated variables
  $hook{'GetPassword'} = {
-    des => "Lookup a user's plaintext password",
+    des => q[Called when a client tries to authenticate. The hook is  
asked to lookup and return a user's plaintext password via $cb->set 
( $pass ). If the hook returns the password, DJabberd::IQ will  
validate the password and either accept or reject the authentication.  
If you want to do your own validation, do not allow a GetPassword  
hook to be registered that returns the password via the callback, and  
use the CheckCleartext or CheckDigest hooks instead],
      args => [ "username" => '$username', "conn" => 'Connection', ],
      callbacks => {
          set => ['password'],



   How do I prove I'm not crazy to people who are?

More information about the Djabberd mailing list