Hi all,
I have an app that originally only supported form-based authentication, and showed pared-down content to unauthenticated users. I then layered on HTTP Basic authentication using authenticate_with_http_basic, which worked fine for scripts like LWP/ wget/curl.
However, some web browsers refuse to submit credentials in the URL (eg. http://username:password@example.com) since they never get a challenge (401) response, since authentication is purely optional. This is a bigger problem than one might expect, since there's a desktop client in development that requires the ability to login with HTTP Basic URL auth.
They way I hacked around it was to create an action that looks like this:
app/controllers/sessions_controller.rb def challenge authenticate_or_request_with_http_basic APP_NAME do |login, password> @user = User.authenticate(login, password) end if @user self.current_user = @user render_ok end end
so browser clients (including the problematic desktop client) can GET http://user:pass@example.com/sessions/challenge to do explicit HTTP basic auth.
Is there a better way to do this?
Thanks, Ian