Class Index [+]

Quicksearch

ActionController::HttpAuthentication::Token

Makes it dead easy to do HTTP Token authentication.

Simple Token example:

  class PostsController < ApplicationController
    TOKEN = "secret"

    before_filter :authenticate, :except => [ :index ]

    def index
      render :text => "Everyone can see me!"
    end

    def edit
      render :text => "I'm only accessible if you know the password"
    end

    private
      def authenticate
        authenticate_or_request_with_http_token do |token, options|
          token == TOKEN
        end
      end
  end

Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication, the regular HTML interface is protected by a session approach:

  class ApplicationController < ActionController::Base
    before_filter :set_account, :authenticate

    protected
      def set_account
        @account = Account.find_by_url_name(request.subdomains.first)
      end

      def authenticate
        case request.format
        when Mime::XML, Mime::ATOM
          if user = authenticate_with_http_token { |t, o| @account.users.authenticate(t, o) }
            @current_user = user
          else
            request_http_token_authentication
          end
        else
          if session_authenticated?
            @current_user = @account.users.find(session[:authenticated][:user_id])
          else
            redirect_to(login_url) and return false
          end
        end
      end
  end

In your integration tests, you can do something like this:

  def test_access_granted_from_xml
    get(
      "/notes/1.xml", nil,
      :authorization => ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
    )

    assert_equal 200, status
  end

On shared hosts, Apache sometimes doesn’t pass authentication headers to FCGI instances. If your environment matches this description and you cannot authenticate, try this rule in your Apache setup:

  RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]

Public Instance Methods

authenticate(controller, &login_procedure) click to toggle source

If token Authorization header is present, call the login procedure with the present token and options.

controller - ActionController::Base instance for the current request. login_procedure - Proc to call if a token is present. The Proc should

                  take 2 arguments:
                    authenticate(controller) { |token, options| ... }

Returns the return value of `&login_procedure` if a token is found. Returns nil if no token is found.

     # File lib/action_controller/metal/http_authentication.rb, line 403
403:       def authenticate(controller, &login_procedure)
404:         token, options = token_and_options(controller.request)
405:         if !token.blank?
406:           login_procedure.call(token, options)
407:         end
408:       end
authentication_request(controller, realm) click to toggle source

Sets a WWW-Authenticate to let the client know a token is desired.

controller - ActionController::Base instance for the outgoing response. realm - String realm to use in the header.

Returns nothing.

     # File lib/action_controller/metal/http_authentication.rb, line 453
453:       def authentication_request(controller, realm)
454:         controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
455:         controller.__send__ :render, :text => "HTTP Token: Access denied.\n", :status => :unauthorized
456:       end
encode_credentials(token, options = {}) click to toggle source

Encodes the given token and options into an Authorization header value.

token - String token. options - optional Hash of the options.

Returns String.

     # File lib/action_controller/metal/http_authentication.rb, line 439
439:       def encode_credentials(token, options = {})
440:         values = ["token=#{token.to_s.inspect}"]
441:         options.each do |key, value|
442:           values << "#{key}=#{value.to_s.inspect}"
443:         end
444:         "Token #{values * ", "}"
445:       end
token_and_options(request) click to toggle source

Parses the token and options out of the token authorization header. If the header looks like this:

  Authorization: Token token="abc", nonce="def"

Then the returned token is “abc”, and the options is {:nonce => “def”}

request - ActionController::Request instance with the current headers.

Returns an Array of [String, Hash] if a token is present. Returns nil if no token is found.

     # File lib/action_controller/metal/http_authentication.rb, line 419
419:       def token_and_options(request)
420:         if header = request.authorization.to_s[/^Token (.*)/]
421:           values = $1.split(',').
422:             inject({}) do |memo, value|
423:               value.strip!                      # remove any spaces between commas and values
424:               key, value = value.split(/\=\"?/) # split key=value pairs
425:               value.chomp!('"')                 # chomp trailing " in value
426:               value.gsub!(/\\\"/, '"')          # unescape remaining quotes
427:               memo.update(key => value)
428:             end
429:           [values.delete("token"), values.with_indifferent_access]
430:         end
431:       end

Disabled; run with --debug to generate this.

[Validate]

Generated with the Darkfish Rdoc Generator 1.1.6.