Skip to content
An easy authentication plugin for your rails apps
Ruby
Latest commit 9aa72d2 Nov 27, 2009 Hartog C. de Mik flaw in the README, fixed
Failed to load latest commit information.
lib
tasks
test begin Nov 27, 2009
MIT-LICENSE
README.rdoc
Rakefile
init.rb
install.rb
uninstall.rb

README.rdoc

EasyAuth

A very simple authentication mechanism for Rails.

Note that authentication != authorisation. This plugin will only give you authentication based on username and password. It works well with easy_roles which will give you authorisation.

Most off what you want is done for you;

  • passwords are hashed in the database (using SHA512)

  • You can set and retrieve the current_user without editing you application_controller

  • You can find the user by her username and password easily

Prerequisites

The model that needs authentication MUST have a :username and :password attribute which should both be strings

The rails application MUST have an EASY_AUTH_SALT constant which can be easily configured in 'config/environment.rb' and filled using 'rake secret'

Example

Make sure you have salty passwords

Just the hash is not enough. We should add a big secret to it.

In config/environment.rb

...
EASY_AUTH_SALT = "some lengthy secret here (dont change it)"
...

Make the model authentic

The most likely scenario is naming your model 'User', but that's just an example here.

In app/models/user.rb

class User < ActiveRecord::Base
  acts_as_authentic
end

And now for some control

User might just want to be able to login, so let's go:

Prepare

First you must make sure the controller can authenticate the desired model, and will return the valid things when calling 'current_user'

In app/controller/application_controller.rb

class ApplicationController < ActionController::Base
  helper :all
  protect_from_forgery

  # Scrub sensitive parameters from your log
  filter_parameter_logging :password, :new_password, :password_confirm

  # the User model is what we want authenticated
  acts_as_authenticator_for User
end

Login

In app/controller/user_controller.rb

...
def login
  if params[:submit]
    if u = User.authenticate(params[:username], params[:password])
      self.current_user = u
      ...
    end
    ...
  end
  ...
end
...

And perhaps you want the check if there is a current_user

In some other controller

def update
  return unless current_user
  ...
end

Signup

In your user_controller.rb

def signup
  ...
  u = User.new(params[:user])
  u.save
  ...
end

In app/views/user/signup.erb

...
<% form_for User.new :url => { :action => "signup" } do |f| %>
  <%= f.text_field :username %>
  <%= f.password_field :password %>
  <%= f.password_field :password_confirm %>
<% end %>
...

Get your own hashes password?

hash = User.hashed_password("the password")

Passwords, new passwords and password confirmation

Your model will be loaded with 2 extra accessors

  • :new_password

  • :password_confirm

The password will not be hashed when :password OR :new_password does not match :password_confirm. Further more the save will not occur and an extra error will be set on your models errors stack.

When you allow the user to update her password you must use :new_password, as it is being used in the before_update callback that is automagicly introduced in your model

Acknowledgements

Many thanks to:

- Gert van der Spoel from 3Edge Technologies for testdriving.
  http://github.com/thunder-
Something went wrong with that request. Please try again.