<%ARGS>
$user => ''
$pass => ''
</%ARGS>
<%INIT>
return if RT::Interface::Web::_UserLoggedIn();

my $get_env = sub {
    my $key = shift;
    if (RT::Interface::Web->can('RequestENV')) {
        return RT::Interface::Web::RequestENV($key)
    }
    return $ENV{$key};
};

if (($get_env->('HTTP_AUTHORIZATION')||'') =~ /^token (.*)$/i) {
    $pass ||= $1;
}

return unless defined $pass;

my ($user_obj, $token) = RT::Authen::Token->UserForAuthString($pass, $user);
return unless $user_obj;

# log in
my $remote_addr = $get_env->('REMOTE_ADDR');
$RT::Logger->info("Successful login for @{[$user_obj->Name]} from $remote_addr using authentication token #@{[$token->Id]} (\"@{[$token->Description]}\")");

# It's important to nab the next page from the session before we blow
# the session away
my $next = RT::Interface::Web::RemoveNextPage($ARGS{'next'});
   $next = $next->{'url'} if ref $next;

RT::Interface::Web::InstantiateNewSession();
$session{'CurrentUser'} = $user_obj;

# Really the only time we don't want to redirect here is if we were
# passed user and pass as query params in the URL.
if ($next) {
    RT::Interface::Web::Redirect($next);
}
elsif ($ARGS{'next'}) {
    # Invalid hash, but still wants to go somewhere, take them to /
    RT::Interface::Web::Redirect(RT->Config->Get('WebURL'));
}
</%INIT>
