Authenticate, THEN redirect

Hi all.
What I want to do:
use HTTP Basic Authentication (stop screaming!) and then redirect to a
welcome page.

What I am trying to do:
Use a before filter which will authenticate and then redirect to the
welcome page.

How I am failing (It's a little ugly, but please bear with me - I'm
trying to understand how this works):

class ApplicationController < ActionController::Base
  helper :all

  before_filter :authenticate

  protected

  def authenticate
    authenticate_or_request_with_http_basic do |username, password|
      user = User.first(:conditions => ['username like ? and password
like ?', username, password])
      redirect_to root_path and return unless user.nil?
      user
    end
  end

end

How it is failing:
  It tells me there's a render and a redirect.

Can anyone suggest something here? Am I just .. Thinking about it the
wrong way?

Aldric Giacomoni wrote:

Hi all.
What I want to do:
use HTTP Basic Authentication (stop screaming!) and then redirect to a
welcome page.

Is this an exercise for learning? If it's not then why would you even
consider solving this already solved problem.

http://github.com/binarylogic/authlogic

Robert Walker wrote:

Aldric Giacomoni wrote:

Hi all.
What I want to do:
use HTTP Basic Authentication (stop screaming!) and then redirect to a
welcome page.

Is this an exercise for learning? If it's not then why would you even
consider solving this already solved problem.

http://github.com/binarylogic/authlogic

Yes.. Yes it is. I'd love to be using authlogic. :slight_smile:

Hi,

You might want to check out this railscast tutorial
(http://railscasts.com/episodes/82-http-basic-authentication).

The authenticate_or_request_with_http_basic method is expecting the
block to return true or false and will send an auth required status if
false. It should be ok to return the user object (ie the line after the
redirect_to ...) as this should equate to true or false. I'm not sure
what value it will return in the line 'redirect_to root_path and return
unless user.nil?'. There is also the problem that this before filter
will endlessly redirect users to root_path, unless you've told it to not
authenticate the root_path controller's index action, which may be a
security issue. You may want to set a session var on a successful
authentication and then add an early out at the beginning if the session
var is set, so the authentication and redirect_to is only done once.
Then there's other issues like only storing passwords in hashed form
using a salt value etc. Maybe something like the following untested
code.

def authenticate
  return unless session[:user_id].nil?
  authenticate_or_request_with_http_basic do |username, password|
    user = User.first(:conditions => ['username like ? and password like
?', username, password])
    if user
      session[:user_id] = user.id
      redirect_to root_path
      true
    else
      false
    end
  end
end

I hope this helps. I look forward to hearing how you go.

PS. There is nothing wrong with basic authentication if you've enabled
SSL.

Brendan Brewster wrote:

Hi,

def authenticate
  return unless session[:user_id].nil?
  authenticate_or_request_with_http_basic do |username, password|
    user = User.first(:conditions => ['username like ? and password like
?', username, password])
    if user
      session[:user_id] = user.id
      redirect_to root_path
      true
    else
      false
    end
  end
end

Hi Brendan, I had indeed seen that railscasts episode. It helped, but
didn't say anything about the redirection.
As far as your suggested code, it was exactly what the doctor ordered!
Thanks for your help. I understand this a little better now.