module ActionController::HttpAuthentication::Basic
Makes it dead easy to do HTTP Basic authentication.
Simple Basic example
class PostsController < ApplicationController http_basic_authenticate_with name: "dhh", password: "secret", except: :index def index render plain: "Everyone can see me!" end def edit render plain: "I'm only accessible if you know the password" end end
Advanced Basic example
Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication, the regular HTML interface is protected by a session approach:
class ApplicationController < ActionController::Base before_action :set_account, :authenticate protected def set_account @account = Account.find_by(url_name: request.subdomains.first) end def authenticate case request.format when Mime::XML, Mime::ATOM if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) } @current_user = user else request_http_basic_authentication end else if session_authenticated? @current_user = @account.users.find(session[:authenticated][:user_id]) else redirect_to(login_url) and return false end end end end
In your integration tests, you can do something like this:
def test_access_granted_from_xml @request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password) get "/notes/1.xml" assert_equal 200, status end
Public Instance Methods
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 117 def auth_param(request) request.authorization.split(' ', 2).second end
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 113 def auth_scheme(request) request.authorization.split(' ', 2).first end
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 95 def authenticate(request, &login_procedure) if has_basic_credentials?(request) login_procedure.call(*user_name_and_password(request)) end end
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 125 def authentication_request(controller, realm) controller.headers["WWW-Authenticate"] = %Q(Basic realm="#{realm.gsub(/"/, "")}") controller.status = 401 controller.response_body = "HTTP Basic: Access denied.\n" end
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 109 def decode_credentials(request) ::Base64.decode64(auth_param(request) || '') end
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 121 def encode_credentials(user_name, password) "Basic #{::Base64.strict_encode64("#{user_name}:#{password}")}" end
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 101 def has_basic_credentials?(request) request.authorization.present? && (auth_scheme(request) == 'Basic') end
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 105 def user_name_and_password(request) decode_credentials(request).split(':', 2) end
© 2004–2018 David Heinemeier Hansson
Licensed under the MIT License.