HTTP Basic authentication

Simple Basic example

class PostsController < ApplicationController
 http_basic_authenticate_with name: "dhh", password: "secret", except: :index
 def index
 render plain: "Everyone can see me!"
 end
 def edit
 render plain: "I'm only accessible if you know the password"
 end
end

Advanced Basic example

Here is a more advanced Basic example where only Atom feeds and the XML API are protected by HTTP authentication. The regular HTML interface is protected by a session approach:

class ApplicationController < ActionController::Base
 before_action :set_account, :authenticate
 private
 def set_account
 @account = Account.find_by(url_name: request.subdomains.first)
 end
 def authenticate
 case request.format
 when Mime[:xml], Mime[:atom]
 if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
 @current_user = user
 else
 request_http_basic_authentication
 end
 else
 if session_authenticated?
 @current_user = @account.users.find(session[:authenticated][:user_id])
 else
 redirect_to(login_url) and return false
 end
 end
 end
end

In your integration tests, you can do something like this:

def test_access_granted_from_xml
 authorization = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
 get "/notes/1.xml", headers: { 'HTTP_AUTHORIZATION' => authorization }
 assert_equal 200, status
end

auth_param(request) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 130
def auth_param(request)
 request.authorization.to_s.split(" ", 2).second
end

auth_scheme(request) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 126
def auth_scheme(request)
 request.authorization.to_s.split(" ", 2).first
end

authenticate(request, &login_procedure) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 108
def authenticate(request, &login_procedure)
 if has_basic_credentials?(request)
 login_procedure.call(*user_name_and_password(request))
 end
end

authentication_request(controller, realm, message) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 138
def authentication_request(controller, realm, message)
 message ||= "HTTP Basic: Access denied.\n"
 controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"', "")}")
 controller.status = 401
 controller.response_body = message
end

decode_credentials(request) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 122
def decode_credentials(request)
 ::Base64.decode64(auth_param(request) || "")
end

encode_credentials(user_name, password) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 134
def encode_credentials(user_name, password)
 "Basic #{::Base64.strict_encode64("#{user_name}:#{password}")}"
end

has_basic_credentials?(request) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 114
def has_basic_credentials?(request)
 request.authorization.present? && (auth_scheme(request).downcase == "basic")
end

user_name_and_password(request) Link

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 118
def user_name_and_password(request)
 decode_credentials(request).split(":", 2)
end