/ 
Catalyst-Plugin-Authentication-0.10022
/ Catalyst::Authentication::Credential::NoPassword
Security Advisories (2)
CVE-2026-5091 (2026-05-21)

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password.

CVE-2009-10007 (2026-06-09)

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.

NAME

Catalyst::Authentication::Credential::NoPassword - Authenticate a user without a password.

SYNOPSIS

use Catalyst qw/
  Authentication
  /;

package MyApp::Controller::Auth;

sub login_as_another_user : Local {
    my ($self, $c) = @_;

    if ($c->user_exists() and $c->user->username() eq 'root') {
        $c->authenticate( {id => c->req->params->{user_id}}, 'nopassword' );
    }
}

DESCRIPTION

This authentication credential checker takes authentication information (most often a username) and retrieves the user from the store. No validation of any credentials is done. This is intended for administrative backdoors, SAML logins and so on when you have identified the new user by other means.

CONFIGURATION

# example
<Plugin::Authentication>
    <nopassword>
        <credential>
            class = NoPassword
        </credential>
        <store>
            class = DBIx::Class
            user_model = DB::User
            role_relation = roles
            role_field = name
        </store>
    </nopassword>
</Plugin::Authentication>

METHODS

authenticate ( $c, $realm, $authinfo )

Try to log a user in.