Class: HTTPAuth::Basic

Inherits:

Object

• Object
• HTTPAuth::Basic

Defined in:

lib/httpauth/basic.rb

Overview

Basic

The Basic class provides a number of methods to handle HTTP Basic Authentication. In Basic Authentication the server sends a challenge and the client has to respond to that with the correct credentials. These credentials will have to be sent with every request from that point on.

On the server

On the server you will have to check the headers for the ‘Authorization’ header. When you find one unpack it and check it against your database of credentials. If the credentials are wrong you have to return a 401 status message and a challenge, otherwise proceed as normal. The code is meant as an example, not as runnable code.

def check_authentication(request, response)
  credentials = HTTPAuth::Basic.unpack_authorization(request['Authorization'])
  if ['admin', 'secret'] == credentials
    response.status = 200
    return true
  else
    response.status = 401
    response['WWW-Authenticate'] = HTTPAuth::Basic.pack_challenge('Admin Pages')
    return false
  end
end

On the client

On the client you have to detect the WWW-Authenticate header sent from the server. Once you find one you should send credentials for that resource any resource ‘deeper in the URL space’. You may send the credentials for every request without a WWW-Authenticate challenge. Note that credentials are valid for a realm, a server can use multiple realms for different resources. The code is meant as an example, not as runnable code.

def get_credentials_from_user_for(realm)
  if realm == 'Admin Pages'
   return ['admin', 'secret']
  else
   return [nil, nil]
  end
end

def handle_authentication(response, request)
  unless response['WWW-Authenticate'].nil?
    realm = HTTPAuth::Basic.unpack_challenge(response['WWW-Authenticate])
    @credentials[realm] ||= get_credentials_from_user_for(realm)
    @last_realm = realm
  end
  unless @last_realm.nil?
    request['Authorization'] = HTTPAuth::Basic.pack_authorization(*@credentials[@last_realm])
  end
end

Class Method Summary

• .get_credentials(env) ⇒ Object

  Finds and unpacks the authorization credentials in a hash with the CGI enviroment.

• .pack_authorization(username, password) ⇒ Object

  Packs HTTP Basic credentials to an ‘Authorization’ header.

• .pack_challenge(realm) ⇒ Object

  Returns contents for the WWW-authenticate header.

• .unpack_authorization(authorization) ⇒ Object

  Unpacks the HTTP Basic ‘Authorization’ credential header.

• .unpack_challenge(authenticate) ⇒ Object

  Returns the name of the realm in a WWW-Authenticate header.

Class Method Details

.get_credentials(env) ⇒ Object

Finds and unpacks the authorization credentials in a hash with the CGI enviroment. Returns [nil,nil] if no credentials were found. See HTTPAuth::CREDENTIAL_HEADERS for supported variable names.

_Note for Apache_: normally the Authorization header can be found in the HTTP_AUTHORIZATION env variable, but Apache’s mod_auth removes the variable from the enviroment. You can work around this by renaming the variable in your apache configuration (or .htaccess if allowed). For example: rewrite the variable for every request on /admin/*.

RewriteEngine on
RewriteRule ^admin/ - [E=X-HTTP-AUTHORIZATION:%{HTTP:Authorization}]

# File 'lib/httpauth/basic.rb', line 107

def get_credentials(env)
  d = HTTPAuth::CREDENTIAL_HEADERS.inject(false) { |d,h| env[h] || d }
  return unpack_authorization(d) unless !d or d.nil? or d.empty?
  [nil, nil]
end

.pack_authorization(username, password) ⇒ Object

Packs HTTP Basic credentials to an ‘Authorization’ header

• username: A string with the username

• password: A string with the password

# File 'lib/httpauth/basic.rb', line 71

def pack_authorization(username, password)
  "Basic %s" % Base64.encode64("#{username}:#{password}").gsub("\n", '')
end

.pack_challenge(realm) ⇒ Object

Returns contents for the WWW-authenticate header

• realm: A string with a recognizable title for the restricted resource

# File 'lib/httpauth/basic.rb', line 78

def pack_challenge(realm)
  "Basic realm=\"%s\"" % realm.gsub('"', '')
end

.unpack_authorization(authorization) ⇒ Object

Unpacks the HTTP Basic ‘Authorization’ credential header

• authorization: The contents of the Authorization header

• Returns a list with two items: the username and password

Raises:

• (ArgumentError)

# File 'lib/httpauth/basic.rb', line 61

def unpack_authorization(authorization) 
  d = authorization.split ' '
  raise ArgumentError.new("HTTPAuth::Basic can only unpack Basic Authentication headers") unless d[0] == 'Basic'
  Base64.decode64(d[1]).split(':')[0..1]
end

.unpack_challenge(authenticate) ⇒ Object

Returns the name of the realm in a WWW-Authenticate header

• authenticate: The contents of the WWW-Authenticate header

# File 'lib/httpauth/basic.rb', line 85

def unpack_challenge(authenticate)
  if authenticate =~ /Basic\srealm=\"([^\"]*)\"/
    return $1
  else
    if authenticate =~ /^Basic/
      raise UnwellformedHeader.new("Can't parse the WWW-Authenticate header, it's probably not well formed")
    else
      raise ArgumentError.new("HTTPAuth::Basic can only unpack Basic Authentication headers")
    end
  end
end