Makes it dead easy to do HTTP Digest authentication.
Simple Digest example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | require 'digest/md5'class PostsController < ApplicationController REALM = "SuperSecret" USERS = {"dhh" => "secret", #plain text password "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))} #ha1 digest password before_action :authenticate, except: [:index] def index render plain: "Everyone can see me!" end def edit render plain: "I'm only accessible if you know the password" end private def authenticate authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] end endend |
Notes
The authenticate_or_request_with_http_digest block must return
the user's password or the ha1 digest hash so the framework can
appropriately hash to check the user's credentials. Returning
nil will cause authentication to fail.
Storing the ha1 hash: MD5(username:realm:password), is better than storing
a plain password. If the password file or database is compromised, the
attacker would be able to use the ha1 hash to authenticate as the user at
this realm, but would not have the user's password to try
using at other sites.
In rare instances, web servers or front proxies strip authorization headers before they reach your application. You can debug this situation by logging all environment variables, and check for HTTP_AUTHORIZATION, amongst others.