Add configurable option for blank passphrase

This commit adds a configurable option to allow users to create
secrets with a blank passphrase.

 [passphrase]
 allow_blank = 0

To allow blank passphrases to be submitted, the allow_blank value
can be set to 1.

If set to 0 (dont allow blank passphrases), the frontend post route
will verify both passphrase and secret inputs contain values.
Empty string is not allowed for passphrase.

If set to 1 (allow blank passphrases) the frontend post route will
only verify the secret input contains a value.  The passphrase
input will then submit an empty string to the backend.

Changes to the backend were made to allow empty string for
passphrase to accommodate this change.

INSTALLATION.md

@@ -59,6 +59,15 @@ After creating the file, edit and update the values accordingly.
 
     To change the default time to expire secrets, change the `age` value.  The value must be a positive integer.  The `age` value is only enforced if running the `delete_expired_secrets.pl` script, as noted below.
 
+- passphrase
+
+    The `passphrase` section key is required, and the `allow_blank` option key within it.
+
+        [passphrase]
+        allow_blank = 0
+
+    The allow users to set a blank passphrase, change `allow_blank` to `1`.
+
 - cookie
 
     The `cookie` section key is required, and `secret_key` option key within it.

config.ini.example

@@ -1,5 +1,7 @@
 [secret]
 age = 604800
+[passphrase]
+allow_blank = 0
 [cookie]
 secret_key = default
 [footer]

lib/Pasteburn.pm

@@ -20,6 +20,8 @@ BEGIN {
         die("FATAL: session Cookie secret_key is not set");
     }
 
+    set passphrase => $conf->{passphrase};
+
     set views  => config->{appdir} . 'views';
     set footer => $conf->{footer};
 
@@ -119,20 +121,42 @@ B<NOTE:> If the C<$ENV{HOME}/.config/pasteburn/> directory exists, C<config.ini>
 
 =over
 
+=item secret
+
+The C<secret> section key is required, and C<age> option key within it.
+
+ [secret]
+ age = 604800
+
+To change the default time to expire secrets, change the C<age> value.  The value must be a positive integer.  The C<age> value is only enforced if running the C<delete_expired_secrets.pl> script, as noted below.
+
+=item passphrase
+
+The C<passphrase> section key is required, and the C<allow_blank> option key within it.
+
+ [passphrase]
+ allow_blank = 0
+
+The allow users to set a blank passphrase, change C<allow_blank> to C<1>.
+
 =item cookie
 
 The C<cookie> section key is required, and C<secret_key> option key within it.
 
  [cookie]
  secret_key = default
 
+Set the C<secret_key> value to a complex random string for your installation.
+
 =item footer
 
 The C<footer> section key is required, and C<links> option key within it.
 
  [footer]
  links = 1
 
+To disable the links in the footer, set the C<links> value to C<0>.
+
 =back
 
 =head1 COPYRIGHT AND LICENSE

lib/Pasteburn/Config.pm

@@ -45,7 +45,7 @@ sub _validate {
     my $config = shift;
 
     # verify required config sections
-    foreach my $required (qw{ secret cookie footer }) {
+    foreach my $required (qw{ secret passphrase cookie footer }) {
         unless ( exists $config->{$required} ) {
             die "config section $required is required\n";
         }
@@ -60,6 +60,11 @@ sub _validate {
         die "config section secret age must be a positive integer\n";
     }
 
+    # verify passphrase allow_blank exists
+    unless ( exists $config->{passphrase}{allow_blank} ) {
+        die "config section passphrase allow_blank is required\n";
+    }
+
     # verify cookie secret_key is set and isn't the default string in the example config
     unless ( exists $config->{cookie}{secret_key} && defined $config->{cookie}{secret_key} ) {
         die "config section cookie secret_key is required\n";
@@ -137,20 +142,35 @@ The C<secret> section key is required, and C<age> option key within it.
  [secret]
  age = 604800
 
+To change the default time to expire secrets, change the C<age> value.  The value must be a positive integer.  The C<age> value is only enforced if running the C<delete_expired_secrets.pl> script, as noted below.
+
+=item passphrase
+
+The C<passphrase> section key is required, and the C<allow_blank> option key within it.
+
+ [passphrase]
+ allow_blank = 0
+
+The allow users to set a blank passphrase, change C<allow_blank> to C<1>.
+
 =item cookie
 
 The C<cookie> section key is required, and C<secret_key> option key within it.
 
  [cookie]
  secret_key = default
 
+Set the C<secret_key> value to a complex random string for your installation.
+
 =item footer
 
 The C<footer> section key is required, and C<links> option key within it.
 
  [footer]
  links = 1
 
+To disable the links in the footer, set the C<links> value to C<0>.
+
 =back
 
 =head1 AUTHOR

lib/Pasteburn/Controller/Secret.pm

@@ -34,11 +34,21 @@ post q{/secret} => sub {
         message      => undef,
     };
 
-    unless ( $secret && $passphrase ) {
-        $template_params->{message_type} = 'error';
-        $template_params->{message}      = 'The secret and passphrase parameters are required';
-        response->{status} = HTTP::Status::HTTP_BAD_REQUEST;
-        return template secret => $template_params;
+    if ( config->{passphrase}{allow_blank} ) {
+        unless ($secret) {
+            $template_params->{message_type} = 'error';
+            $template_params->{message}      = 'The secret parameter is required';
+            response->{status} = HTTP::Status::HTTP_BAD_REQUEST;
+            return template secret => $template_params;
+        }
+    }
+    else {
+        unless ( $secret && $passphrase ) {
+            $template_params->{message_type} = 'error';
+            $template_params->{message}      = 'The secret and passphrase parameters are required';
+            response->{status} = HTTP::Status::HTTP_BAD_REQUEST;
+            return template secret => $template_params;
+        }
     }
 
     if ( length $secret > 10000 ) {
@@ -160,7 +170,7 @@ post q{/secret/:id} => sub {
 
     $template_params->{id} = $secret_obj->id;
 
-    unless ($passphrase) {
+    if ( !config->{passphrase}{allow_blank} && !$passphrase ) {
         $template_params->{message_type} = 'error';
         $template_params->{message}      = 'The passphrase parameter is required';
         response->{status} = HTTP::Status::HTTP_BAD_REQUEST;

lib/Pasteburn/Crypt/Hash.pm

@@ -25,7 +25,7 @@ sub generate {
         @_,
     };
 
-    unless ( $arg->{string} ) {
+    unless ( defined $arg->{string} ) {
         die "string is required\n";
     }
 
@@ -63,10 +63,12 @@ sub validate {
         @_,
     };
 
-    foreach my $required ( keys %{$arg} ) {
-        unless ( $arg->{$required} ) {
-            die "$required is required\n";
-        }
+    unless ( $arg->{hash} ) {
+        die "hash is required\n";
+    }
+
+    unless ( defined $arg->{string} ) {
+        die "string is required\n";
     }
 
     my ( undef, $method, @parts ) = split /!/, $arg->{hash};

lib/Pasteburn/Crypt/Storage.pm

@@ -15,7 +15,7 @@ sub new {
         @_,
     };
 
-    unless ( $arg->{passphrase} ) {
+    unless ( defined $arg->{passphrase} ) {
         die "passphrase argument is required\n";
     }
 

lib/Pasteburn/Model/Secrets.pm

@@ -201,11 +201,15 @@ sub validate_passphrase {
         die "validate_passphrase cannot be run for a nonexistent secret";
     }
 
-    unless ( $arg->{passphrase} ) {
+    unless ( defined $arg->{passphrase} ) {
         die "passphrase is required";
     }
 
-    # this should never happen, but leaving it here just in case.
+    # if the secret is stored with an empty string as passphrase, there is still
+    # a hashed passphrase stored in the object and db.
+    # the code up to this point will allow empty string submitted from the interface,
+    # but not allow an undef to be stored.
+    # although unlikely to fail, still verify the hashed passphrase is in the object.
     unless ( defined $self->passphrase ) {
         die "passphrase is not set";
     }
@@ -229,7 +233,7 @@ sub decode_secret {
         die "decode_secret cannot be run for a nonexistent secret";
     }
 
-    unless ( $arg->{passphrase} ) {
+    unless ( defined $arg->{passphrase} ) {
         die "passphrase is required";
     }