Oh, hey, that's neat. Was just googling for this. Should make REST-authentication super easy, and then using the usernames and passwords in the database to authenticate.
<pre>
authenticate_or_request_with_httpt_basic do |username, password|
User.authenticate(username, password)
end
</pre>
Wohoo!
Hi. Sorry my stupid question, but how can I do logout using http_basic? :-)
Bye
@August, right! Since the authentication is handled in a block there's a lot of flexibility. Moving it to the user model (if you have one) is a good idea.
@nelson, that's a good question. The authentication is kept in the browser (client side), so there's really no way to log out the user on the server side AFAIK. The user will have to close the browser to end the session. I think there are hacks around this issue, but I haven't looked into them.
I have a really stupid question. What is that Growl type notification that pops up whenever you are executing keyboard shortcuts in Textmate? That could be handy for me if I could figure out what it is and how to get it.
@Joel: Yeah, that was a stupid question =P It's listed on the "about" page, and is called KeyCastr.
@nelson: As Ryan says, http based authentication doesn't support logout. But as we're rails developers, we should be used to using systems that's opinionated and that makes choices for us - which is exactly what http does. This kind of authentication is rarely used to authenticate users through browsers, but it's ideal for authenticating in API's and so on, as most API reading systems supports the HTTP standards.
@August, @Ryan: then using Model inside the 'authenticate_or_request_with_http_basic' as used on the example, I have support to logout? The authenticate don't will stay registered on client-side?
(srry my english guys)
[]s :)
@nelson jr: As opposed to the "normal" way of authenticating, where you set session[:user] to something (which is what e.g. the restful_authentication does), this particular method authenticates you if the stuff inside the block returns true. So, doing this would authenticate you:
authenticate_or_request_with_http_basic { true }
This is what a User.authenticate action could look like:
def self.authenticate(username, password)
user = self.find_by_username(username)
user && user.valid_password?(password)
end
This method returns true if a user was found and the password was valid. Otherwise, it returns false (if the password wasn't valid) or nil (if no user was found with the specified username).
@August Lilleaas
You are absolutely right. To elaborate a bit more for nelson jr, with HTTP Basic Authentication and REST you won't need to use a server-side session at all. The server authenticates you and services your request. You then cease to exist to the server, as you are not actually "logged in".
This makes running a service/site across a cluster or servers simple because your session state (logged in, not logged in etc) isn't of any concern. A subsequent request could go to any server in a cluster and it wouldn't be a problem because you provide your authentication details again.
I would imagine you could still create a session for the user, right?
Also, how would this work for HTTP Digest Authentication? Could you do this with OpenID instead of a Username/Password combination?
Hello,
I just want to say "thank you". I'm new to rails and I like it. Your screencasts are great. I don't understand each of them fully, but from day to day I understand more.
Bye,
Patrick
@Ryan, I don't see what benefit storing it in a session would give because the browser will usually store the login credentials on its own. If you store it in a session it will be in two different places which could get messy.
As for HTTP Digest Authentication, I don't think Rails 2.0 offers an easy way to do this. But I haven't looked into it.
Also, I don't see any way to incorporate OpenID authentication into this.
I'm currently using restful_authentication. So, in the move to Rails 2.0, should I stick with that and "enhance" it with this? Based on August's comments, that is what is implied. Where might the code August posted be put? Sorry, my newby-ness is apparent.
Do you know if its possible to use http to request information from the user other than login credentials?
Keep up the great work guys! As I continue my education with rails (and ruby) into the 2.0 transition, your railscasts are a breath of fresh air in the often dark tunnel I call rails newbieness of which I suffer greatly.
@ryan
How would one do the call to such an authenticated controller from activeresource. How does one pass the request authentification at the reqest time. does that go into the model or is that a step done during the find?
I mean like so:
*model*
class Event < ActiveResource::Base
self.site ="http://localhost:3000/"
end
*irb*
s=Event.find 989
I haven't seen it asked yet and I've done some google-ing and haven't come up with a result either...
I want a authenticated? / logged_in? method. Because in my views I want the edit | delete links visible for the authenticated user but obviously not the general public...
Does anyone have any ideas? Thanks in advance.
I set up the auth model you described and it worked great. I switched my site to using it in development no problem. Then I went live, which is mongrel w/apache cgi. I can't seem to get the username and password through to rails. Has anyone found a good way to do this. I've gone through a lot of tutorials and guessing with no luck.
http_basic only works when running through curl with http://user@pass:localhost:3000/etc, not when running in Safari or Camino--I never get a window to enter the credentials, it just passes through, and then obviously creates the dreaded "nil" error when the @user can't be authenticated and found.
@Coop, no idea how to but I'm wondering the same thing.
@Eilert Islaksen, I don't think that it's possible otherwise someone would have said something...
@Oskar Lissheim-Boethius, I use Safari and always get the HTTP box to input my details
@Coop, Eilert Islaksen: I too was wondering how to combine authenticate_or_request_with_http_basic with the show/hide edit/delete links explained in Railscast 20.
The way I achieved this was to set an is_authenticated instance variable:
# products_controller.rb
def authenticate
@is_authenticated = authenticate_or_request_with_http_basic do |username, password|
username == "foo" && password == "bar"
end
end
Then you can show/hide in the view by:
# index.haml
- if @is_authenticated
= link_to …
You could add a helper method:
# application.rb
helper_method :admin?
def admin?
@is_authenticated
end
and go:
# index.haml
- if admin?
= link_to …
Do you know if its possible to use http to request information from the user other than login credentials?
If you're having troubles with getting HTTP Basic Authentication working with Apache fcgi try adding this to your htaccess file.
RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
@nelson et al.
A way (hack) to logout of HTTP-Basic-auth is to let the user follow a link to a special 'logout' resource which will always return "401 Unauthorized", after which the browser will reset the user's credentials and therefore stop sending them as such.
@Benjamin Quorning:
HI,your "admin?" helper method does't work,why?thanks
In finding out how to password the exception_logger interface, I came across this neat stuff:
http://errtheblog.com/posts/67-evil-twin-plugin
Here's my code:
http://gist.github.com/9771
and that's that.
Hope it helps someone.
Yeah, sorry, my code example didn’t work. I ended up using the session object to get it working: http://pastie.org/280240
How would I add this to my demo and test environments?
I want basic authentication based on environemt
Thanks Ryan,I think this is one of the most wonderful sites. I have great admiration for you.
Thank you Ryan, your screencast is good. Please look at our URL, I believe you will not disappoint.
I just want to say "thank you". I'm new to rails and I like it. Your screencasts are great. I don't understand each of them fully, but from day to day I understand more.
I just want to say thank you! It is so wonderful! I have admiration for you!
on iTunes
