* HTTP basic auth can now be toggled on or off. It also checks for th…

…e existence of a standard username and password before enabling itself.
Shadowfiend · Apr 21, 2009 · eb3f1f2 · eb3f1f2
1 parent 43360a3
commit eb3f1f2
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 19 deletions.
diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc
@@ -1,6 +1,7 @@
 == 2.0.11
 
 * Fix bug when password is turned off and the SingleAccessToken module calls the after_password_set callback.
+* HTTP basic auth can now be toggled on or off. It also checks for the existence of a standard username and password before enabling itself.
 
 == 2.0.10 release 2009-4-21
 

diff --git a/Manifest.txt b/Manifest.txt
@@ -86,6 +86,7 @@ test/libs/affiliate.rb
 test/libs/company.rb
 test/libs/employee.rb
 test/libs/employee_session.rb
+test/libs/ldaper.rb
 test/libs/ordered_hash.rb
 test/libs/project.rb
 test/libs/user.rb

diff --git a/README.rdoc b/README.rdoc
@@ -27,6 +27,7 @@ You can also log out / destroy the session:
 == Helpful links
 
 *	<b>Documentation:</b> http://authlogic.rubyforge.org
+*	<b>Repository:</b> http://github.com/binarylogic/authlogic/tree/master
 *	<b>Live example with OpenID "add on":</b> http://authlogicexample.binarylogic.com
 *	<b>Live example source with tutorial:</b> http://github.com/binarylogic/authlogic_example/tree/master
 *	<b>Tutorial: Reset passwords with Authlogic the RESTful way:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic

diff --git a/lib/authlogic/session/http_auth.rb b/lib/authlogic/session/http_auth.rb
@@ -1,23 +1,58 @@
 module Authlogic
   module Session
-    # Handles all authentication that deals with basic HTTP auth.
+    # Handles all authentication that deals with basic HTTP auth. Which is authentication built into the HTTP protocol:
+    #
+    #   http://username:password@whatever.com
+    #
+    # Also, if you are not comfortable letting users pass their raw username and password you can always use the single
+    # access token. See Authlogic::Session::Params for more info.
     module HttpAuth
       def self.included(klass)
-        klass.persist :persist_by_http_auth
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          persist :persist_by_http_auth, :if => :persist_by_http_auth?
+        end
       end
 
-      private
-        def persist_by_http_auth
-          controller.authenticate_with_http_basic do |login, password|
-            if !login.blank? && !password.blank?
-              send("#{login_field}=", login)
-              send("#{password_field}=", password)
-              return valid?
+      # Configuration for the HTTP basic auth feature of Authlogic.
+      module Config
+        # Do you want to allow your users to log in via HTTP basic auth?
+        #
+        # I recommend keeping this enabled. The only time I feel this should be disabled is if you are not comfortable
+        # having your users provide their raw username and password. Whatever the reason, you can disable it here.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def allow_http_basic_auth(value = nil)
+          config(:allow_http_basic_auth, value, true)
+        end
+        alias_method :allow_http_basic_auth=, :allow_http_basic_auth
+      end
+
+      # Instance methods for the HTTP basic auth feature of authlogic.
+      module InstanceMethods
+        private
+          def persist_by_http_auth?
+            allow_http_basic_auth? && login_field && password_field
+          end
+
+          def persist_by_http_auth
+            controller.authenticate_with_http_basic do |login, password|
+              if !login.blank? && !password.blank?
+                send("#{login_field}=", login)
+                send("#{password_field}=", password)
+                return valid?
+              end
             end
+
+            false
           end
 
-          false
-        end
+          def allow_http_basic_auth?
+            self.class.allow_http_basic_auth == true
+          end
+      end
     end
   end
 end
diff --git a/test/session_test/http_auth_test.rb b/test/session_test/http_auth_test.rb
@@ -2,14 +2,26 @@
 
 module SessionTest
   class HttpAuthTest < ActiveSupport::TestCase
-    def test_persist_persist_by_http_auth
-      ben = users(:ben)
-      http_basic_auth_for { assert !UserSession.find }
-      http_basic_auth_for(ben) do
-        assert session = UserSession.find
-        assert_equal ben, session.record
-        assert_equal ben.login, session.login
-        assert_equal "benrocks", session.send(:protected_password)
+    class ConfiTest < ActiveSupport::TestCase
+      def test_allow_http_basic_auth
+        UserSession.allow_http_basic_auth = false
+        assert_equal false, UserSession.allow_http_basic_auth
+
+        UserSession.allow_http_basic_auth true
+        assert_equal true, UserSession.allow_http_basic_auth
+      end
+    end
+
+    class InstanceMethodsTest < ActiveSupport::TestCase
+      def test_persist_persist_by_http_auth
+        ben = users(:ben)
+        http_basic_auth_for { assert !UserSession.find }
+        http_basic_auth_for(ben) do
+          assert session = UserSession.find
+          assert_equal ben, session.record
+          assert_equal ben.login, session.login
+          assert_equal "benrocks", session.send(:protected_password)
+        end
       end
     end
   end