Module: ActionController::HttpAuthentication::Basic

Extended by:
Basic
Included in:
Basic
Defined in:
lib/action_controller/metal/http_authentication.rb

Overview

# HTTP Basic authentication

### Simple Basic example

class PostsController < ApplicationController
  http_basic_authenticate_with name: "dhh", password: "secret", except: :index

  def index
    render plain: "Everyone can see me!"
  end

  def edit
    render plain: "I'm only accessible if you know the password"
  end
end

### Advanced Basic example

Here is a more advanced Basic example where only Atom feeds and the XML API are protected by HTTP authentication. The regular HTML interface is protected by a session approach:

class ApplicationController < ActionController::Base
  before_action :set_account, :authenticate

  private
    def 
      @account = Account.find_by(url_name: request.subdomains.first)
    end

    def authenticate
      case request.format
      when Mime[:xml], Mime[:atom]
        if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
          @current_user = user
        else
          request_http_basic_authentication
        end
      else
        if session_authenticated?
          @current_user = @account.users.find(session[:authenticated][:user_id])
        else
          redirect_to() and return false
        end
      end
    end
end

In your integration tests, you can do something like this:

def test_access_granted_from_xml
  authorization = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)

  get "/notes/1.xml", headers: { 'HTTP_AUTHORIZATION' => authorization }

  assert_equal 200, status
end

Defined Under Namespace

Modules: ControllerMethods

Instance Method Summary collapse

Instance Method Details

#auth_param(request) ⇒ Object



130
131
132
# File 'lib/action_controller/metal/http_authentication.rb', line 130

def auth_param(request)
  request.authorization.to_s.split(" ", 2).second
end

#auth_scheme(request) ⇒ Object



126
127
128
# File 'lib/action_controller/metal/http_authentication.rb', line 126

def auth_scheme(request)
  request.authorization.to_s.split(" ", 2).first
end

#authenticate(request, &login_procedure) ⇒ Object



108
109
110
111
112
# File 'lib/action_controller/metal/http_authentication.rb', line 108

def authenticate(request, &)
  if has_basic_credentials?(request)
    .call(*user_name_and_password(request))
  end
end

#authentication_request(controller, realm, message) ⇒ Object



138
139
140
141
142
143
# File 'lib/action_controller/metal/http_authentication.rb', line 138

def authentication_request(controller, realm, message)
  message ||= "HTTP Basic: Access denied.\n"
  controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"', "")}")
  controller.status = 401
  controller.response_body = message
end

#decode_credentials(request) ⇒ Object



122
123
124
# File 'lib/action_controller/metal/http_authentication.rb', line 122

def decode_credentials(request)
  ::Base64.decode64(auth_param(request) || "")
end

#encode_credentials(user_name, password) ⇒ Object



134
135
136
# File 'lib/action_controller/metal/http_authentication.rb', line 134

def encode_credentials(user_name, password)
  "Basic #{::Base64.strict_encode64("#{user_name}:#{password}")}"
end

#has_basic_credentials?(request) ⇒ Boolean

Returns:

  • (Boolean)


114
115
116
# File 'lib/action_controller/metal/http_authentication.rb', line 114

def has_basic_credentials?(request)
  request.authorization.present? && (auth_scheme(request).downcase == "basic")
end

#user_name_and_password(request) ⇒ Object



118
119
120
# File 'lib/action_controller/metal/http_authentication.rb', line 118

def user_name_and_password(request)
  decode_credentials(request).split(":", 2)
end