RSpec
Ruby on Rails
Ruby
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3
- 2.1.0
- 2.2.1
- 2.3.8 (0)
- 3.0.0 (0)
- 3.0.9 (0)
- 3.1.0 (0)
- 3.2.1 (0)
- 3.2.8 (0)
- 3.2.13 (0)
- 4.0.2 (38)
- 4.1.8 (0)
- 4.2.1 (0)
- 4.2.7 (0)
- 4.2.9 (0)
- 5.0.0.1 (0)
- 5.1.7 (0)
- 5.2.3 (0)
- 6.0.0 (0)
- 6.1.3.1 (0)
- 6.1.7.7 (0)
- 7.0.0 (0)
- 7.1.3.2 (0)
- 7.1.3.4 (0)
- What's this?
-
authenticate
-
authentication_header
-
authentication_request
-
authorization
(<= v2.3.8)
-
decode_credentials
-
decode_credentials_header
-
encode_credentials
-
expected_response
-
ha1
-
nonce
-
opaque
-
secret_key
(<= v2.3.8)
-
secret_token
-
validate_digest_response
-
validate_nonce
-
ControllerMethods
= private
= protected
HTTP Digest authentication
Simple Digest example
require "openssl" class PostsController < ApplicationController REALM = "SuperSecret" USERS = {"dhh" => "secret", #plain text password "dap" => OpenSSL::Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))} #ha1 digest password before_action :authenticate, except: [:index] def index render plain: "Everyone can see me!" end def edit render plain: "I'm only accessible if you know the password" end private def authenticate authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] end end end
Notes
The authenticate_or_request_with_http_digest block must return the user’s password or the ha1 digest hash so the framework can appropriately hash to check the user’s credentials. Returning nil will cause authentication to fail.
Storing the ha1 hash: MD5(username:realm:password), is better than storing a plain password. If the password file or database is compromised, the attacker would be able to use the ha1 hash to authenticate as the user at this realm, but would not have the user’s password to try using at other sites.
In rare instances, web servers or front proxies strip authorization headers before they reach your application. You can debug this situation by logging all environment variables, and check for HTTP_AUTHORIZATION, amongst others.
