Module: ActionController::HttpAuthentication::Basic

Extended by:

Basic

Included in:

Basic

Defined in:

lib/action_controller/metal/http_authentication.rb

Overview

Makes it dead easy to do HTTP Basic authentication.

Simple Basic example

class PostsController < ApplicationController
http_basic_authenticate_with name: "dhh", password: "secret", except: :index

def index
  render text: "Everyone can see me!"
end

def edit
  render text: "I'm only accessible if you know the password"
end

end

Advanced Basic example

Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication, the regular HTML interface is protected by a session approach:

class ApplicationController < ActionController::Base
before_action :set_account, :authenticate

protected
  def set_account
    @account = Account.find_by(url_name: request.subdomains.first)
  end

  def authenticate
    case request.format
    when Mime::XML, Mime::ATOM
      if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
        @current_user = user
      else
        request_http_basic_authentication
      end
    else
      if session_authenticated?
        @current_user = @account.users.find(session[:authenticated][:user_id])
      else
        redirect_to(login_url) and return false
      end
    end
  end
end

In your integration tests, you can do something like this:

def test_access_granted_from_xml
get(
  "/notes/1.xml", nil,
  'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
)

assert_equal 200, status
end

Defined Under Namespace

Modules: ControllerMethods

Instance Method Summary

• #authenticate(request, &login_procedure) ⇒ Object
• #authentication_request(controller, realm) ⇒ Object
• #decode_credentials(request) ⇒ Object
• #encode_credentials(user_name, password) ⇒ Object
• #user_name_and_password(request) ⇒ Object

Instance Method Details

#authenticate(request, &login_procedure) ⇒ Object

# File 'lib/action_controller/metal/http_authentication.rb', line 92

def authenticate(request, &login_procedure)
  unless request.authorization.blank?
    login_procedure.call(*user_name_and_password(request))
  end
end

#authentication_request(controller, realm) ⇒ Object

# File 'lib/action_controller/metal/http_authentication.rb', line 110

def authentication_request(controller, realm)
  controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
  controller.status = 401
  controller.response_body = "HTTP Basic: Access denied.\n"
end

#decode_credentials(request) ⇒ Object

# File 'lib/action_controller/metal/http_authentication.rb', line 102

def decode_credentials(request)
  ::Base64.decode64(request.authorization.split(' ', 2).last || '')
end

#encode_credentials(user_name, password) ⇒ Object

# File 'lib/action_controller/metal/http_authentication.rb', line 106

def encode_credentials(user_name, password)
  "Basic #{::Base64.strict_encode64("#{user_name}:#{password}")}"
end

#user_name_and_password(request) ⇒ Object

# File 'lib/action_controller/metal/http_authentication.rb', line 98

def user_name_and_password(request)
  decode_credentials(request).split(':', 2)
end