+# Given a userid, create an authtoken.
+#
+# The authtoken consists of the encoded username and a key to decrypt the
+# password stored on disk. the authtoken is protected from modification
+# by an hmac.
+sub CreateAuthToken {
+ my $userid = shift;
+
+ my $cryptuser = crypt($userid, CreateCryptSalt(1));
+ $cryptuser =~ y,/,_,; # translate slashes to underscores
+
+ my $key = &Util::CreateKey($config{blowfishkeylen});
+ my $hexkey = unpack("H".($config{blowfishkeylen}*2), $key);
+
+ my $data = "$cryptuser,$hexkey";
+ my $hmac = getDataMac($data);
+ my $authtoken = "$hmac,$data";
+
+ return $authtoken;
+}
+
+# Parse an authtoken into encoded userid and key information and validate its mac.
+sub ParseAuthToken {
+ my $authtoken = shift;
+ my ($hmac_got, $data) = split(/,/, $authtoken, 2);
+ my $hmac_want = getDataMac($data);
+
+ HTMLError("Failed to validate authtoken\n") unless ($hmac_got eq $hmac_want);
+
+ my ($cryptuserid, $hexkey) = split(/,/, $data, 2);
+ return ($cryptuserid, $hexkey);
+}
+
+# Given an authtoken, return the path to the on-disk encrypted session file
+sub GetFNfromAuthToken {
+ my $authtoken = shift;
+ my ($cryptuserid, undef) = ParseAuthToken($authtoken);
+
+ my $fn = "$config{authtokenpath}/$cryptuserid";
+ return $fn;
+}
+
+# Given an authtoken and a password, write the password to disk encrypted by the authtoken's key.