HTTP Basic authentication
Simple Basic example
class PostsController < ApplicationController
http_basic_authenticate_with name: "dhh", password: "secret", except: :index
def index
render plain: "Everyone can see me!"
end
def edit
render plain: "I'm only accessible if you know the password"
end
end
Advanced Basic example
Here is a more advanced Basic example where only Atom feeds and the XML API are protected by HTTP authentication. The regular HTML interface is protected by a session approach:
class ApplicationController < ActionController::Base
before_action :set_account, :authenticate
private
def set_account
@account = Account.find_by(url_name: request.subdomains.first)
end
def authenticate
case request.format
when Mime[:xml], Mime[:atom]
if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
@current_user = user
else
request_http_basic_authentication
end
else
if session_authenticated?
@current_user = @account.users.find(session[:authenticated][:user_id])
else
redirect_to(login_url) and return false
end
end
end
end
In your integration tests, you can do something like this:
def test_access_granted_from_xml
authorization = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
get "/notes/1.xml", headers: { 'HTTP_AUTHORIZATION' => authorization }
assert_equal 200, status
end
Namespace
Module
Methods
- auth_param
- auth_scheme
- authenticate
- authentication_request
- decode_credentials
- encode_credentials
- has_basic_credentials?
- user_name_and_password
Instance Public methods
auth_param(request)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 127
def auth_param(request)
request.authorization.to_s.split(" ", 2).second
endauth_scheme(request)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 123
def auth_scheme(request)
request.authorization.to_s.split(" ", 2).first
endauthenticate(request, &login_procedure)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 105
def authenticate(request, &login_procedure)
if has_basic_credentials?(request)
login_procedure.call(*user_name_and_password(request))
end
endauthentication_request(controller, realm, message)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 135
def authentication_request(controller, realm, message)
message ||= "HTTP Basic: Access denied.\n"
controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"', "")}")
controller.status = 401
controller.response_body = message
enddecode_credentials(request)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 119
def decode_credentials(request)
::Base64.decode64(auth_param(request) || "")
endencode_credentials(user_name, password)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 131
def encode_credentials(user_name, password)
"Basic #{::Base64.strict_encode64("#{user_name}:#{password}")}"
endhas_basic_credentials?(request)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 111
def has_basic_credentials?(request)
request.authorization.present? && (auth_scheme(request).downcase == "basic")
enduser_name_and_password(request)
📝 Source code
# File actionpack/lib/action_controller/metal/http_authentication.rb, line 115
def user_name_and_password(request)
decode_credentials(request).split(":", 2)
end