module ActionController::HttpAuthentication::Basic

Makes it dead easy to do HTTP Basic authentication.

Simple Basic example

 class PostsController < ApplicationController
   http_basic_authenticate_with name: "dhh", password: "secret", except: :index

   def index
     render plain: "Everyone can see me!"
   end

   def edit
     render plain: "I'm only accessible if you know the password"
   end
end

Advanced Basic example

Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication, the regular HTML interface is protected by a session approach:

class ApplicationController < ActionController::Base
  before_action :set_account, :authenticate

  protected
    def set_account
      @account = Account.find_by(url_name: request.subdomains.first)
    end

    def authenticate
      case request.format
      when Mime::XML, Mime::ATOM
        if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
          @current_user = user
        else
          request_http_basic_authentication
        end
      else
        if session_authenticated?
          @current_user = @account.users.find(session[:authenticated][:user_id])
        else
          redirect_to(login_url) and return false
        end
      end
    end
end

In your integration tests, you can do something like this:

def test_access_granted_from_xml
  @request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
  get "/notes/1.xml"

  assert_equal 200, status
end

Public Instance Methods

auth_param(request) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 117
def auth_param(request)
  request.authorization.split(' ', 2).second
end
auth_scheme(request) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 113
def auth_scheme(request)
  request.authorization.split(' ', 2).first
end
authenticate(request, &login_procedure) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 95
def authenticate(request, &login_procedure)
  if has_basic_credentials?(request)
    login_procedure.call(*user_name_and_password(request))
  end
end
authentication_request(controller, realm) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 125
def authentication_request(controller, realm)
  controller.headers["WWW-Authenticate"] = %Q(Basic realm="#{realm.gsub(/"/, "")}")
  controller.status = 401
  controller.response_body = "HTTP Basic: Access denied.\n"
end
decode_credentials(request) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 109
def decode_credentials(request)
  ::Base64.decode64(auth_param(request) || '')
end
encode_credentials(user_name, password) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 121
def encode_credentials(user_name, password)
  "Basic #{::Base64.strict_encode64("#{user_name}:#{password}")}"
end
has_basic_credentials?(request) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 101
def has_basic_credentials?(request)
  request.authorization.present? && (auth_scheme(request) == 'Basic')
end
user_name_and_password(request) Show source
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 105
def user_name_and_password(request)
  decode_credentials(request).split(':', 2)
end

© 2004–2018 David Heinemeier Hansson
Licensed under the MIT License.