Authenticate, THEN redirect

rubyonrails-talk
1

Hi all. What I want to do: use HTTP Basic Authentication (stop screaming!) and then redirect to a welcome page.

What I am trying to do: Use a before filter which will authenticate and then redirect to the welcome page.

How I am failing (It's a little ugly, but please bear with me - I'm trying to understand how this works):

class ApplicationController < ActionController::Base   helper :all

  before_filter :authenticate

  protected

  def authenticate     authenticate_or_request_with_http_basic do |username, password|       user = User.first(:conditions => ['username like ? and password like ?', username, password])       redirect_to root_path and return unless user.nil?       user     end   end

end

How it is failing:   It tells me there's a render and a redirect.

Can anyone suggest something here? Am I just .. Thinking about it the wrong way?

2

Aldric Giacomoni wrote:

Hi all. What I want to do: use HTTP Basic Authentication (stop screaming!) and then redirect to a welcome page.

Is this an exercise for learning? If it's not then why would you even consider solving this already solved problem.

3

Robert Walker wrote:

Aldric Giacomoni wrote:

Hi all. What I want to do: use HTTP Basic Authentication (stop screaming!) and then redirect to a welcome page.

Is this an exercise for learning? If it's not then why would you even consider solving this already solved problem.

GitHub - binarylogic/authlogic: A simple ruby authentication solution.

Yes.. Yes it is. I'd love to be using authlogic. :slight_smile:

4

Hi,

You might want to check out this railscast tutorial (#82 HTTP Basic Authentication - RailsCasts).

The authenticate_or_request_with_http_basic method is expecting the block to return true or false and will send an auth required status if false. It should be ok to return the user object (ie the line after the redirect_to ...) as this should equate to true or false. I'm not sure what value it will return in the line 'redirect_to root_path and return unless user.nil?'. There is also the problem that this before filter will endlessly redirect users to root_path, unless you've told it to not authenticate the root_path controller's index action, which may be a security issue. You may want to set a session var on a successful authentication and then add an early out at the beginning if the session var is set, so the authentication and redirect_to is only done once. Then there's other issues like only storing passwords in hashed form using a salt value etc. Maybe something like the following untested code.

def authenticate   return unless session[:user_id].nil?   authenticate_or_request_with_http_basic do |username, password|     user = User.first(:conditions => ['username like ? and password like ?', username, password])     if user       session[:user_id] = user.id       redirect_to root_path       true     else       false     end   end end

I hope this helps. I look forward to hearing how you go.

PS. There is nothing wrong with basic authentication if you've enabled SSL.

5

Brendan Brewster wrote:

Hi,

def authenticate   return unless session[:user_id].nil?   authenticate_or_request_with_http_basic do |username, password|     user = User.first(:conditions => ['username like ? and password like ?', username, password])     if user       session[:user_id] = user.id       redirect_to root_path       true     else       false     end   end end

Hi Brendan, I had indeed seen that railscasts episode. It helped, but didn't say anything about the redirection. As far as your suggested code, it was exactly what the doctor ordered! Thanks for your help. I understand this a little better now.