Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

[Rails 3.1.0.rc5] Inconsistent behaviour with http_basic_authenticate_with? #2500

Closed
smaboshe opened this Issue Aug 12, 2011 · 7 comments

Comments

Projects
None yet
3 participants

Hello!

Hope you are having an awesome day.

I am using http_basic_authenticate_with and really like how simple it is to work with for small, private projects.
It locks down controller actions great:

http://0.0.0.0:3000/posts

will ask me to provide credentials.

But I am still able to access assets without needing authentication.

http://0.0.0.0:3000/assets/rails.png

Serves the asset without asking for a username or password.

Is this how http_basic_authenticate_with is meant to work?

Thanks,

Silumesii

Contributor

dmathieu commented Aug 12, 2011

Yes it is. http_basic_authenticate_with runs only on ruby code.
Assets (in production) don't run any ruby code (and that's intentional, because much, much faster).
Therefore, static files get served directly by the server, no ruby code can ask for authentication on them.

If your static files need authentication, I'd recommend you to send them over to Amazon S3, and configure the ACL so you need a token to view them.
That way, you can display them in your pages with this token (generated for the request, they're valid only for a specific amount of time), and noone else can display it.

Contributor

charliesome commented Aug 12, 2011

@dmathieu Why recommend S3 for such a simple task? Surely it'd be much easier and much cheaper just to roll similar functionality into the app as it is.

Thanks!

I'll look at Amazon S3 (or an alternative) for authentication of static files.

Silumesii

@smaboshe smaboshe closed this Aug 12, 2011

Contributor

dmathieu commented Aug 12, 2011

@charliesome : it's not possible, unless you make that authentication in the server configuration ...

Contributor

charliesome commented Aug 12, 2011

@dmathieu: It's not possible to write a controller that serves a file only if a user is authenticated? Of course not, better fork over money to S3 to do the job because it's not at all possible in rails.

Contributor

dmathieu commented Aug 12, 2011

This is possible to do. But try making benchmarks ... You'll see it's so slow that you don't want to do it.
After that, it's just a question of amount of users. But I personally won't ever recommend to render static files in the controller.

Contributor

charliesome commented Aug 12, 2011

@dmathieu Surely there wouldn't be as much overhead in creating a simple controller that uses Rails' sendfile functionality as there would be in making an API call to S3 to generate a token?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment