This feature is scheduled for: Rails v2.3
Long ago, in your mother’s version of rails, we got a http basic authentication plugin. That functionality has since been rolled into Rails core, but it was always lacking HTTP digest authentication. Until this commit, that is.
For those that may now know the difference, basic authentication only base 64 encodes the authenticating username and password (making it easily decoded) whereas digest authentication sends an MD5 hash of your username and password. To simplify, digest is more secure than basic.
To request digest authentication in Rails, you’ll need to be able to retrieve the cleartext password for a given user (so the framework can hash and compare it using the nonce it created specifically for that request). This commit now allows you to also use a specific hashed format of the password. Here’s how this works if you have access to a cleartext password:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
class ArticlesController < ApplicationController before_filter :digest_authenticate def digest_authenticate # Given this username, return the cleartext password (or nil if not found) authenticate_or_request_with_http_digest("Articles Administration") do |username| User.find_by_username(username).try(cleartext_password) end end end |
Most of us will want to do something with the result of the authentication and can do so with the boolean return value of authenticate_or_request_with_http_digest:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
class ArticlesController < ApplicationController before_filter :digest_authenticate def digest_authenticate success = authenticate_or_request_with_http_digest("Admin") do |username| (@user = User.find_by_username(username)).try(cleartext_password) end # If authentication succeeds, log the user in. If not, kick back out a failure # message as the response body if success session[:user_id] = @user.id else request_http_digest_authentication("Admin", "Authentication failed") end end end |
If you don’t want to store clear text passwords you can return an MD5 hash from the authenticate_or_request_with_http_digest block as long as it’s in the format username:realm:password. You can get a password hash by using Digest::MD5::hexdigest.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
class User < ActiveRecord::Base attr_accessor :password validates_presence_of :username, :crypted_password before_save :hash_password ... def hash_password if password_changed? self.crypted_password = Digest::MD5::hexdigest([username, "UserRealm", password].join(":")) end end end |
and then in your controller:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
class ArticlesController < ApplicationController before_filter :digest_authenticate def digest_authenticate # Just return the crypted (hashed) version of the password if it's in the supported # format. Note that the realm here "UserRealm" should match the middle # argument of your password hash success = authenticate_or_request_with_http_digest("UserRealm") do |username| (@user = User.find_by_username(username)).try(crypted_password) end ... end end |
So there you have it, digest authentication in edge Rails.
tags: ruby, rubyonrails
