Allow HTTP authentication (for an API, etc)

[karmi]

Hi,

I needed to have HTTP authentication on current project using Clearance, and discovered Clearance does not provide it. I implemented it as following patch:

http://gist.github.com/159604

Does adding feature like this make sense to you?

(Note: I've tried to implement it directly to Clearance, but have not found an obvious way where to put the tests. I could not persuade AccountsControllerTest to have access to User or Factory(:email_confirmed_user) etc and had to give up.)

[booch]

+1 This would be a helpful feature to add to Clearance.

[joergbattermann]

Yep agreed. Clearance is awesome, but no http auth is a showstopper for most of my customers' projects. +1

[pius]

+1

[croaky]

Can Rack::Auth be used instead of altering Clearance?

http://rack.rubyforge.org/doc/Rack/Auth/Basic.html
http://www.sinatrarb.com/faq.html#auth
https://sinatra.lighthouseapp.com/projects/9779/tickets/16-patch-http-authentication

If not, why?

[karmi]

Hello Dan,

I think the main reason here is convenience. When it's built-in, we get HTTP-Auth for non-HTML requests automatically, quite transparently, and stupidly easy.

To use Rack::Auth::Basic middleware for this in Rails, one has to do (and please correct me if I'm mistaken!!):

• Add the middleware somewhere in the stack
• Intercept calls to non-HTML requests, do the ::User.authenticate(login, password) authentication,
• somehow (?) set the @_current_user variable to be available for controllers

Again, correct me if I'm wrong. I haven't tried it, I am just thinking aloud.

Of course, I completely understand the need to keep Clearance lean. I just think the lack of HTTP-Auth for non-HTML requests is something which puts unneccessary burden on the library users -- and more so, if they're beginners etc.

(Now, Sinatra is obviously another story. You expect to operate much closer to the metal.)

Karel

[croaky]

We're going to pass on this patch. Thanks for the effort but we don't think it belongs in Clearance. We're comfortable (and prefer the explicitness of) using Rack::Auth for our APIs:

use Rack::Auth::Basic do |username, password|
username == 'foo' and password == 'bar'
end

Thanks again.

[karmi]

Hi, sure, understood! In that case I think some info or short tutorial in Clearance docs about how to concretely implement HTTP based auth in a Clearance application would be great. (The usual use-case is something like "give me JSON export with recent photos for the authenticated user", etc)

[croaky]

Definitely. I've tagged this issue as 'docs' and will try to get to it in the next few days.

[karmi]

I've packaged HTTP Auth for Clearance as a gem: https://github.com/karmi/clearance_http_auth (It works by setting an env variable in middleware and overloading current_user to read it.)

[croaky]

Very nice. Well done!