0.01
No release in over 3 years
Low commit activity in last 3 years
Add http authorization methods to Roda
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 1.11
>= 0
~> 12.3
>= 0

Runtime

< 4.0, >= 2.0
 Project Readme

Roda Http Authorization

Build Status

Add http authorization methods to Roda.

Installation

This is an external plugin. Install it by adding the gem to your gemfile:

gem 'roda-http-auth'

Configuration

Configure your Roda application to use this plugin:

plugin :http_auth

You can pass global options, in this context they'll be shared between all http_auth calls.

plugin :http_auth, authenticator: ->(user, pass) { [user, pass] == %w[foo bar] },
                   realm: 'Restricted Area', # default
                   schemes: %w[basic] # default

Usage

Call http_auth inside the routes you want to authenticate the user, it will halt the request with an empty response with status 401 if the authenticator is false.

You can provide an unauthorized block to be invoked whenever the user is unathorized, it's executed in the context of the instance:

plugin :http_auth, unauthorized: -> { view('401.html') }

# ...

r.root do
  http_auth {|u, p| [u, p] == %w[foo bar] }

  "If you can see this you were authorized! \
   Otherwise you'll be served with the 401.html.erb template"
end

Basic Auth

Basic authorization is the default method:

# Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
http_auth { |user, pass| [user, pass] == ['Aladdin', 'open sesame'] }

Schemes

By default authorization schemes are whitelisted, so if you want to use one that is not basic auth you must configure it:

plugin :http_auth, schemes: %w[bearer]

You can also whitelist schemes for a specific route:

http_auth(schemes: %w[bearer]) { |token| token == '4t0k3n' }

Scheme: Bearer

When the Bearer scheme is passed, if whitelisted, the token is passed to the authenticator:

# Authorization: Bearer 4t0k3n
http_auth { |token| token == '4t0k3n' }

Schemes with formatted parameters

For schemes that require formatted params authorization header, like Digest, the scheme and the parsed params are passed to the authenticator:

# Request
Authorization: Digest username="Mufasa",
                      realm="http-auth@example.org",
                      uri="/dir/index.html",
                      algorithm=MD5,
                      nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
                      nc=00000001,
                      cnonce="f2/wE4q74E6zIJEtWaHKaf5wv/H5QzzpXusqGemxURZJ",
                      qop=auth,
                      response="8ca523f5e9506fed4657c9700eebdbec",
                      opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
http_auth { |s, p| [s, p['username']] == ['digest', 'Mufasa'] }

Warden

To avoid having your 401 responses intercepted by warden, you need to configure the unauthenticated callback that is called just before the request is halted:

plugin :http_auth, unauthorized: -> { env['warden'].custom_failure! }

Additional Configuration

The header sent when the user is unauthorized can be configured via unauthorized_headers and realm options, globally or locally:

unauthorized_headers: ->(opts) do
  { 'WWW-Authenticate' => ('Basic realm="%s"' % opts[:realm]) }
end, # default
realm: "Restricted Area", # default

Test

bundle exec ruby spec/*_spec.rb

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/badosu/roda-http-auth.

License

The gem is available as open source under the terms of the MIT License.