Type:
Module

Makes it dead easy to do HTTP Digest authentication.

Simple Digest example

require 'digest/md5'
class PostsController < ApplicationController
  REALM = "SuperSecret"
  USERS = {"dhh" => "secret", #plain text password
           "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password

  before_action :authenticate, except: [:index]

  def index
    render plain: "Everyone can see me!"
  end

  def edit
    render plain: "I'm only accessible if you know the password"
  end

  private
    def authenticate
      authenticate_or_request_with_http_digest(REALM) do |username|
        USERS[username]
      end
    end
end

Notes

The authenticate_or_request_with_http_digest block must return the user's password or the ha1 digest hash so the framework can appropriately hash to check the user's credentials. Returning nil will cause authentication to fail.

Storing the ha1 hash: MD5(username:realm:password), is better than storing a plain password. If the password file or database is compromised, the attacker would be able to use the ha1 hash to authenticate as the user at this realm, but would not have the user's password to try using at other sites.

In rare instances, web servers or front proxies strip authorization headers before they reach your application. You can debug this situation by logging all environment variables, and check for HTTP_AUTHORIZATION, amongst others.

secret_token

secret_token(request) Instance Public methods

2015-06-20 00:00:00
validate_nonce

validate_nonce(secret_key, request, value, seconds_to_timeout=5*60) Instance Public methods

2015-06-20 00:00:00
decode_credentials

decode_credentials(header) Instance Public methods

2015-06-20 00:00:00
validate_digest_response

validate_digest_response(request, realm, &password_procedure) Instance Public methods

2015-06-20 00:00:00
expected_response

expected_response(http_method, uri, credentials, password, password_is_ha1=true) Instance Public methods

2015-06-20 00:00:00
nonce

nonce(secret_key, time = Time.now) Instance Public methods Uses an MD5 digest

2015-06-20 00:00:00
authentication_header

authentication_header(controller, realm) Instance Public methods

2015-06-20 00:00:00
authenticate

authenticate(request, realm, &password_procedure) Instance Public methods Returns

2015-06-20 00:00:00
ha1

ha1(credentials, password) Instance Public methods

2015-06-20 00:00:00
authentication_request

authentication_request(controller, realm, message = nil) Instance Public methods

2015-06-20 00:00:00