From eb3f1f2770da6184fc406649e3d05637cccee420 Mon Sep 17 00:00:00 2001 From: binarylogic Date: Tue, 21 Apr 2009 17:26:12 -0400 Subject: [PATCH] * HTTP basic auth can now be toggled on or off. It also checks for the existence of a standard username and password before enabling itself. --- CHANGELOG.rdoc | 1 + Manifest.txt | 1 + README.rdoc | 1 + lib/authlogic/session/http_auth.rb | 57 +++++++++++++++++++++++------ test/session_test/http_auth_test.rb | 28 ++++++++++---- 5 files changed, 69 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc index a45b1a18..6834f62f 100644 --- a/CHANGELOG.rdoc +++ b/CHANGELOG.rdoc @@ -1,6 +1,7 @@ == 2.0.11 * Fix bug when password is turned off and the SingleAccessToken module calls the after_password_set callback. +* HTTP basic auth can now be toggled on or off. It also checks for the existence of a standard username and password before enabling itself. == 2.0.10 release 2009-4-21 diff --git a/Manifest.txt b/Manifest.txt index 66ded71a..d602b819 100644 --- a/Manifest.txt +++ b/Manifest.txt @@ -86,6 +86,7 @@ test/libs/affiliate.rb test/libs/company.rb test/libs/employee.rb test/libs/employee_session.rb +test/libs/ldaper.rb test/libs/ordered_hash.rb test/libs/project.rb test/libs/user.rb diff --git a/README.rdoc b/README.rdoc index 8127b65c..f0a262c0 100644 --- a/README.rdoc +++ b/README.rdoc @@ -27,6 +27,7 @@ You can also log out / destroy the session: == Helpful links * Documentation: http://authlogic.rubyforge.org +* Repository: http://github.com/binarylogic/authlogic/tree/master * Live example with OpenID "add on": http://authlogicexample.binarylogic.com * Live example source with tutorial: http://github.com/binarylogic/authlogic_example/tree/master * Tutorial: Reset passwords with Authlogic the RESTful way: http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic diff --git a/lib/authlogic/session/http_auth.rb b/lib/authlogic/session/http_auth.rb index 90a29330..69503068 100644 --- a/lib/authlogic/session/http_auth.rb +++ b/lib/authlogic/session/http_auth.rb @@ -1,23 +1,58 @@ module Authlogic module Session - # Handles all authentication that deals with basic HTTP auth. + # Handles all authentication that deals with basic HTTP auth. Which is authentication built into the HTTP protocol: + # + # http://username:password@whatever.com + # + # Also, if you are not comfortable letting users pass their raw username and password you can always use the single + # access token. See Authlogic::Session::Params for more info. module HttpAuth def self.included(klass) - klass.persist :persist_by_http_auth + klass.class_eval do + extend Config + include InstanceMethods + persist :persist_by_http_auth, :if => :persist_by_http_auth? + end end - private - def persist_by_http_auth - controller.authenticate_with_http_basic do |login, password| - if !login.blank? && !password.blank? - send("#{login_field}=", login) - send("#{password_field}=", password) - return valid? + # Configuration for the HTTP basic auth feature of Authlogic. + module Config + # Do you want to allow your users to log in via HTTP basic auth? + # + # I recommend keeping this enabled. The only time I feel this should be disabled is if you are not comfortable + # having your users provide their raw username and password. Whatever the reason, you can disable it here. + # + # * Default: true + # * Accepts: Boolean + def allow_http_basic_auth(value = nil) + config(:allow_http_basic_auth, value, true) + end + alias_method :allow_http_basic_auth=, :allow_http_basic_auth + end + + # Instance methods for the HTTP basic auth feature of authlogic. + module InstanceMethods + private + def persist_by_http_auth? + allow_http_basic_auth? && login_field && password_field + end + + def persist_by_http_auth + controller.authenticate_with_http_basic do |login, password| + if !login.blank? && !password.blank? + send("#{login_field}=", login) + send("#{password_field}=", password) + return valid? + end end + + false end - false - end + def allow_http_basic_auth? + self.class.allow_http_basic_auth == true + end + end end end end \ No newline at end of file diff --git a/test/session_test/http_auth_test.rb b/test/session_test/http_auth_test.rb index 2a880697..73ee4c82 100644 --- a/test/session_test/http_auth_test.rb +++ b/test/session_test/http_auth_test.rb @@ -2,14 +2,26 @@ module SessionTest class HttpAuthTest < ActiveSupport::TestCase - def test_persist_persist_by_http_auth - ben = users(:ben) - http_basic_auth_for { assert !UserSession.find } - http_basic_auth_for(ben) do - assert session = UserSession.find - assert_equal ben, session.record - assert_equal ben.login, session.login - assert_equal "benrocks", session.send(:protected_password) + class ConfiTest < ActiveSupport::TestCase + def test_allow_http_basic_auth + UserSession.allow_http_basic_auth = false + assert_equal false, UserSession.allow_http_basic_auth + + UserSession.allow_http_basic_auth true + assert_equal true, UserSession.allow_http_basic_auth + end + end + + class InstanceMethodsTest < ActiveSupport::TestCase + def test_persist_persist_by_http_auth + ben = users(:ben) + http_basic_auth_for { assert !UserSession.find } + http_basic_auth_for(ben) do + assert session = UserSession.find + assert_equal ben, session.record + assert_equal ben.login, session.login + assert_equal "benrocks", session.send(:protected_password) + end end end end