module Sorcery::Controller::Submodules::HttpBasicAuth::InstanceMethods
Protected Instance Methods
given to main controller module as a login source callback
# File lib/sorcery/controller/submodules/http_basic_auth.rb, line 46 def login_from_basic_auth authenticate_with_http_basic do |username, password| @current_user = (user_class.authenticate(username, password) if session[:http_authentication_used]) || false auto_login(@current_user) if @current_user @current_user end end
Sets the realm name by searching the controller name in the hash given at configuration time.
# File lib/sorcery/controller/submodules/http_basic_auth.rb, line 55 def realm_name_by_controller if defined?(ActionController::Base) current_controller = self.class while current_controller != ActionController::Base result = Config.controller_to_realm_map[current_controller.controller_name] return result if result current_controller = current_controller.superclass end nil else Config.controller_to_realm_map['application'] end end
to be used as a before_action. The method sets a session when requesting the user's credentials. This is a trick to overcome the way HTTP authentication works (explained below):
Once the user fills the credentials once, the browser will always send it to the server when visiting the website, until the browser is closed. This causes wierd behaviour if the user logs out. The session is reset, yet the user is re-logged in by the before_action calling 'login_from_basic_auth'. To overcome this, we set a session when requesting the password, which logout will reset, and that's how we know if we need to request for HTTP auth again.
# File lib/sorcery/controller/submodules/http_basic_auth.rb, line 39 def require_login_from_http_basic (request_http_basic_authentication(realm_name_by_controller) && (session[:http_authentication_used] = true) && return) if request.authorization.nil? || session[:http_authentication_used].nil? require_login session[:http_authentication_used] = nil unless logged_in? end