module Sorcery::Controller::Submodules::HttpBasicAuth::InstanceMethods

Protected Instance Methods

login_from_basic_auth() click to toggle source

given to main controller module as a login source callback

# File lib/sorcery/controller/submodules/http_basic_auth.rb, line 46
def login_from_basic_auth
  authenticate_with_http_basic do |username, password|
    @current_user = (user_class.authenticate(username, password) if session[:http_authentication_used]) || false
    auto_login(@current_user) if @current_user
    @current_user
  end
end
realm_name_by_controller() click to toggle source

Sets the realm name by searching the controller name in the hash given at configuration time.

# File lib/sorcery/controller/submodules/http_basic_auth.rb, line 55
def realm_name_by_controller
  if defined?(ActionController::Base)
    current_controller = self.class
    while current_controller != ActionController::Base
      result = Config.controller_to_realm_map[current_controller.controller_name]
      return result if result

      current_controller = current_controller.superclass
    end
    nil
  else
    Config.controller_to_realm_map['application']
  end
end
require_login_from_http_basic() click to toggle source

to be used as a before_action. The method sets a session when requesting the user's credentials. This is a trick to overcome the way HTTP authentication works (explained below):

Once the user fills the credentials once, the browser will always send it to the server when visiting the website, until the browser is closed. This causes wierd behaviour if the user logs out. The session is reset, yet the user is re-logged in by the before_action calling 'login_from_basic_auth'. To overcome this, we set a session when requesting the password, which logout will reset, and that's how we know if we need to request for HTTP auth again.

# File lib/sorcery/controller/submodules/http_basic_auth.rb, line 39
def require_login_from_http_basic
  (request_http_basic_authentication(realm_name_by_controller) && (session[:http_authentication_used] = true) && return) if request.authorization.nil? || session[:http_authentication_used].nil?
  require_login
  session[:http_authentication_used] = nil unless logged_in?
end