Reputation: 151056
In Ruby on Rails Restful Authentication, why does current_user check the HTTP username and password?
In Restful Authentication, lib/authenticated_system.rb,
why does current_user do a login_from_basic_auth, which does a authenticate_with_http_basic, which is to check the HTTP user provided login name and password?
I thought the login form is in /session/new (or /login), and then it POST to /session, which will go to the sessions controller, create action, and there, it
verifies the login name and password provided by the user.
This is line 8 of lib/authenticated_system.rb
def current_<%= file_name %>
@current_user ||= (login_from_session
|| login_from_basic_auth
|| login_from_cookie) unless @current_user == false
end
So the question is, if the login name and password was previously verified, then why checking it in current_user?
Upvotes: 2
Views: 578
Answers (1)
Reputation: 34350
This function indicates that there are three ways to authenticate in your system:
- Using a POST request from /session/new or /login.
- Using BASIC HTTP authentication (a popup or URL provided username and password).
- Using a remember me cookie so that sessions can persist even when session cookies are destroyed or the browser is restarted.
Even though your basic login happens with a POST request from /session/new or /login, the only thing that POST request actually does is set the session user id (probably session[:user_id]). Once that session[:user_id] has been set, you no longer need to login to perform a request, because you are authenticated. From this point forward the actual authentication happens by checking the session[:user_id] to see if someone has already logged in.
Here is a more detailed authentication lifecycle (for login):
- User visits /login.
- User enters password and username and submits form.
- Password is checked, if authenticated the session[:user_id] is set.
- User visits another page.
- To check if the user is authenticated, current_user is called.
- login_from_session is called and the user corresponding to session[:user_id] is returned.
- The user is considered authenticated.
Here is a more detailed authentication lifecycle (for HTTP BASIC authentication):
- A user visits http://username:[email protected].
- To check if the user is authenticated, current_user is called.
- login_from_session is called, but session[:user_id] is nil, so nil is returned.
- login_from_basic_auth is called, and username:password is present, so the corresponding user is returned.
- The user is considered authenticated.
Here is a more detailed authentication lifecycle (remember me cookie):
- A user has previously logged in and chosen the 'remember me' option.
- A user closes their browser and then re-opens it and visits your site.
- login_from_session is called, but session[:user_id] is nil, so nil is returned.
- login_from_basic_auth is called, but username and password are missing, so nil is returned.
- login_from_cookie is called and a cookie is found and used to return a user.
- The user is considered authenticated.
Upvotes: 3
Related Questions
- In Ruby on Rails, what does authenticate_with_http_basic do?
- Rails: why does simple_token_authentication validate every request?
- rails authenticate_or_request_with_http_basic
- rails authlogic can't find current_user (nil) after using http basic authentication
- Rails HTTP Basic check for authenticated?
- Current_user method for authenticate_or_request_with_http_digest - Rails 4
- Restful Authentication -- how to log in a user without password
- Issue with checking for current_user
- restful authentication current_user
- Is the user logged in? (restful-authentication)