Oh, hey, that's neat. Was just googling for this. Should make REST-authentication super easy, and then using the usernames and passwords in the database to authenticate.
<pre>
authenticate_or_request_with_httpt_basic do |username, password|
User.authenticate(username, password)
end
</pre>
Wohoo!
Hi. Sorry my stupid question, but how can I do logout using http_basic? :-)
Bye
@August, right! Since the authentication is handled in a block there's a lot of flexibility. Moving it to the user model (if you have one) is a good idea.
@nelson, that's a good question. The authentication is kept in the browser (client side), so there's really no way to log out the user on the server side AFAIK. The user will have to close the browser to end the session. I think there are hacks around this issue, but I haven't looked into them.
I have a really stupid question. What is that Growl type notification that pops up whenever you are executing keyboard shortcuts in Textmate? That could be handy for me if I could figure out what it is and how to get it.
@Joel: Yeah, that was a stupid question =P It's listed on the "about" page, and is called KeyCastr.
@nelson: As Ryan says, http based authentication doesn't support logout. But as we're rails developers, we should be used to using systems that's opinionated and that makes choices for us - which is exactly what http does. This kind of authentication is rarely used to authenticate users through browsers, but it's ideal for authenticating in API's and so on, as most API reading systems supports the HTTP standards.
@August, @Ryan: then using Model inside the 'authenticate_or_request_with_http_basic' as used on the example, I have support to logout? The authenticate don't will stay registered on client-side?
(srry my english guys)
[]s :)
@nelson jr: As opposed to the "normal" way of authenticating, where you set session[:user] to something (which is what e.g. the restful_authentication does), this particular method authenticates you if the stuff inside the block returns true. So, doing this would authenticate you:
authenticate_or_request_with_http_basic { true }
This is what a User.authenticate action could look like:
def self.authenticate(username, password)
user = self.find_by_username(username)
user && user.valid_password?(password)
end
This method returns true if a user was found and the password was valid. Otherwise, it returns false (if the password wasn't valid) or nil (if no user was found with the specified username).
@August Lilleaas
You are absolutely right. To elaborate a bit more for nelson jr, with HTTP Basic Authentication and REST you won't need to use a server-side session at all. The server authenticates you and services your request. You then cease to exist to the server, as you are not actually "logged in".
This makes running a service/site across a cluster or servers simple because your session state (logged in, not logged in etc) isn't of any concern. A subsequent request could go to any server in a cluster and it wouldn't be a problem because you provide your authentication details again.
I would imagine you could still create a session for the user, right?
Also, how would this work for HTTP Digest Authentication? Could you do this with OpenID instead of a Username/Password combination?
Hello,
I just want to say "thank you". I'm new to rails and I like it. Your screencasts are great. I don't understand each of them fully, but from day to day I understand more.
Bye,
Patrick
@Ryan, I don't see what benefit storing it in a session would give because the browser will usually store the login credentials on its own. If you store it in a session it will be in two different places which could get messy.
As for HTTP Digest Authentication, I don't think Rails 2.0 offers an easy way to do this. But I haven't looked into it.
Also, I don't see any way to incorporate OpenID authentication into this.
I'm currently using restful_authentication. So, in the move to Rails 2.0, should I stick with that and "enhance" it with this? Based on August's comments, that is what is implied. Where might the code August posted be put? Sorry, my newby-ness is apparent.
Do you know if its possible to use http to request information from the user other than login credentials?
Keep up the great work guys! As I continue my education with rails (and ruby) into the 2.0 transition, your railscasts are a breath of fresh air in the often dark tunnel I call rails newbieness of which I suffer greatly.
@ryan
How would one do the call to such an authenticated controller from activeresource. How does one pass the request authentification at the reqest time. does that go into the model or is that a step done during the find?
I mean like so:
*model*
class Event < ActiveResource::Base
self.site ="http://localhost:3000/"
end
*irb*
s=Event.find 989
I haven't seen it asked yet and I've done some google-ing and haven't come up with a result either...
I want a authenticated? / logged_in? method. Because in my views I want the edit | delete links visible for the authenticated user but obviously not the general public...
Does anyone have any ideas? Thanks in advance.
I set up the auth model you described and it worked great. I switched my site to using it in development no problem. Then I went live, which is mongrel w/apache cgi. I can't seem to get the username and password through to rails. Has anyone found a good way to do this. I've gone through a lot of tutorials and guessing with no luck.
http_basic only works when running through curl with http://user@pass:localhost:3000/etc, not when running in Safari or Camino--I never get a window to enter the credentials, it just passes through, and then obviously creates the dreaded "nil" error when the @user can't be authenticated and found.
@Coop, no idea how to but I'm wondering the same thing.
@Eilert Islaksen, I don't think that it's possible otherwise someone would have said something...
@Oskar Lissheim-Boethius, I use Safari and always get the HTTP box to input my details
@Coop, Eilert Islaksen: I too was wondering how to combine authenticate_or_request_with_http_basic with the show/hide edit/delete links explained in Railscast 20.
The way I achieved this was to set an is_authenticated instance variable:
# products_controller.rb
def authenticate
@is_authenticated = authenticate_or_request_with_http_basic do |username, password|
username == "foo" && password == "bar"
end
end
Then you can show/hide in the view by:
# index.haml
- if @is_authenticated
= link_to …
You could add a helper method:
# application.rb
helper_method :admin?
def admin?
@is_authenticated
end
and go:
# index.haml
- if admin?
= link_to …
If you're having troubles with getting HTTP Basic Authentication working with Apache fcgi try adding this to your htaccess file.
RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
@nelson et al.
A way (hack) to logout of HTTP-Basic-auth is to let the user follow a link to a special 'logout' resource which will always return "401 Unauthorized", after which the browser will reset the user's credentials and therefore stop sending them as such.
In finding out how to password the exception_logger interface, I came across this neat stuff:
http://errtheblog.com/posts/67-evil-twin-plugin
Here's my code:
http://gist.github.com/9771
and that's that.
Hope it helps someone.
Yeah, sorry, my code example didn’t work. I ended up using the session object to get it working: http://pastie.org/280240
How would I add this to my demo and test environments?
I want basic authentication based on environemt
Great screencast, really great!!! The comments also are very useful.
Thanks guys.
when I use this method on localhost, everything works fine.. but, when I host it online, the application root directory is in domain.com/local ..
in this, the authentication window comes, but it doesn't authenticate me actually.. I type the login, password, still, the window appears again and again, and if I cancel, I get:
HTTP Basic: Access denied.
The rewrite rule pointed out by Joshua even didn't work!
I tried a lot to write a Rewrite rule, but it didn't turn out for me.. probably the hosting provider has disabled fast cgi scripts..
Instead, I installed this plugin which has even got login/logout features.. :)
http://ariejan.net/2007/08/24/super-simple-authentication-plugin-and-generator/
Thanks again for this great work.
It appears the link to the http_authentication.rb source shown above is no longer valid since the code moved to github.
I assume you might want something like: http://github.com/rails/rails/tree/v2.0.0/actionpack/lib/action_controller/http_authentication.rb
There are a couple of comments here asking about digest encoding of username:password so I just wanted to say that the Rails HTTP authentication library also handles a form of digest encoding - though i am not sure if it conforms to HTTP spec.
To use it, encode 'username:password' in Base64 and put it in the 'authorization' header of the request (which is where basic auth is anyway)
In curl, the line looks like this:
http://gist.github.com/50638
This is really really handy for JavaScript (and iPhone) apps accessing a resource server - especially if you do not have an SSL connection setup and do not want to send login info over the internets in the clear.
It's a pitty that this function do not protect the public-folder. Do you know a possibility, sans .htaccess?
Nice Tut! I think I may use this concept for my site. (currently implementing a new RoR tutorial system).
Had some random not working at some point with it, but I just changed the username and password and for some strange reason that fixed it.
Thanks Again,
Joe
Hola a todos estoy iniciando con el mundo ruby on rails y necesito hacer una aplicacion web con autentificacion y con base de datos prostgres alguien me podria guiar por favor es urgente gracias mi correo cyber_daemon_one@hotmail.com
this is cool, this is what we want dude......
I have received several similar emails like this one.
Hi,
I am trying to run a curl url from my terminal and I am getting permission denied error.
curl -H "Accept: application/xml" http://localhost:3000/readings?current_user=1
I tried this as well:
curl -H "Accept: application/xml" http://localhost:3000/readings?user_id=1
in my readings controller I have before_filter method set.
Kindly suggest me how would I fix that.
Thanks
Puneet
Hello Ryan, first time posting - big fan...
This is killing me! I think the answer to this will help solve a lot of your commenters woes.
Im trying to do a remote authentication via json from within a JS based accelerator iphone app seen here http://pastie.org/789924 but i keep coming up with the famous ActionController::InvalidAuthenticityToken. I've been searching all night and I find myself more confused than when I started. How does one go about construct this JSON call in order to circumvent the protect_from_forgery method!
Thanks in advance and keep doing the awesome job youre doin...
Mark McGwire made his first public appearance in St. Louis to a crowd roaring approval.
Former Met (unfortunately) Jose Offerman punched an umpire in a winter league game in the Dominican Republic.
Nationals' GM Mike Rizzo is starting to leave his mark on the Washington roster.
I just want to say "thank you". I'm new to rails and I like it. Your screencasts are great. I don't understand each of them fully, but from day to day I understand more.
this is cool, this is what we want dude......
I have received several similar emails like this one.
Report as Spam
Totally,German totally based on standard software design of computer and network equipment, installation simple maintenance and update really thoroughly. No hardware terminals,Italian hardware card, hardware, without any special control network wiring.http://www.rosettastonelanguage.biz/
Great screencast, really great!!! The comments also are very useful.
Thanks guys.
otherwise someone would have said something...
@Oskar Lissheim-Boethius, I use Safari and always get the HTTP box to input my details
when I use this method on localhost, everything works fine.. but, when I host it online, the application root directory is in domain.com/local
Thanks again for this great work.
It appears the link to the http_authentication.rb source shown above is no longer valid since the code moved to github.
this is cool, this is what we want dude......
I have received several similar emails like this one.
on logout call this in java script function
document.execCommand("ClearAuthenticationCache");
to clear the cache of the browser
been looking for this life forever but didnt cant up with the keywords for search.
Cheers
I can't get this to work, it always gives 401 unauthorized and never asks for a username/password. If I use curl and give it a username and password though it works, can anybody help me out?
Thanks
Really trustworthy blog. Please keep updating with great posts like this one. I have booked marked your site and am about to email it to a few friends of mine that I know would enjoy reading..
Thank you,I think it's very useful.
займите первые места поисковых систем и ваш бизнес будет процветать
I am the first time on this site and am really enthusiastic about and so many good articles. I think it’s just very good.
Always yours
that's great to see this,you can design your hairstyle by yourself.
thanks for it.
<a href="http://www.airmaxgoshopping.com/nike-free-run-c-44.html"><strong>Nike Free Run+Running</strong></a>
<a href="http://www.airmaxgoshopping.com/"><strong>Nike Lunar Glide</strong></a><p>
I recently came across your blog and have been reading along.
I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading.Nice blog,I will keep visiting this blog very often.
we provide our buyers with an efficient and manageable procurement process covering every phase of the international supply chain and
streamlining trade channels. Also welcome wholesaling, feedback now!
I am the first time on this site and am really enthusiastic about and so many good articles. I think it’s just very good.
Always yours
A blind man who leans against a wall imagines that it's the boundary of the world.
<a href=http://www.kicksbar.com>jordan retro shoes</a>
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diem nonummy nibh euismod tincidunt ut lacreet dolore magna aliguam erat volutpat. Ut wisis enim ad minim veniam, quis nostrud exerci tution ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. i love
<a href=http://www.kicksbar.com>jordan retro shoes</a> very much. Duis te feugifacilisi. Duis autem dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit au gue duis dolore te feugat nulla facilisi.
This post contains very important information as well as knowledge. Keep us updating and thanks for sharing it with me.
Hey, I read a lot of blogs on a daily basis and for the most part
people lack substance but
I just wanted to make a quick comment to say GREAT blog!…..
I’ll be checking in on a regularly now….
Keep up the good work!
Thanks for very good information. Excellent article that will provide the incentive and basis for my works.I wonder if I can mention the article as a bibliographic reference in my work. Thanks!
Thanks for posting! I really enjoyed the report. I’ve already bookmark this article.
I was reading something else about this on another blog. Interesting. Your position on it is diametrically contradicted to what I read earlier. I am still contemplating over the opposite points of view, but I’m tipped heavily toward yours. And no matter, that’s what is so great about modernized democracy and the marketplace of thoughts on-line.
Nice blog. The content of your blog is exactly wonderful, and your blog template is Simple generous. So good
Thanks for sharing your article. I really enjoyed it. I put a link to my site to here so other people can read it. My readers have about the same interets
What is that Growl type notification that pops up whenever you are executing keyboard shortcuts in Textmate?
Good post, I can’t say that I agree with everything that was said, but very good information overall:)
on iTunes
