Rails HTTP Basic Authentication Failure - ruby-on-rails

I'm trying to use authenticate_with_http_basic in a Rails 2.3.4 app, and the username and password aren't being picked up. I did a little detective work and figured out that it's failing because there's no authorization header in the request. I tried adding the RewriteRule suggested in the docs:
RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
I haven't had any luck, though, either with Apache/Passenger or Mongrel. I also didn't have any luck trying authenticate_with_http_basic in a Rails 3 app. If I change it to authenticate_or_request_with_http_basic, credentials given at the prompt work, but it ignores any supplied in the url. (Which makes sense, since it's calling authenticate_with_http_basic.) I can't find anything in my code that should be messing with the request, and it seems odd to me that it isn't working locally with Mongrel. Any suggestions?

I would strongly recommend using an authentication gem/plugin like Devise or Authlogic. They both support basic HTTP authentication.
Devise: https://github.com/plataformatec/devise and
http://railscasts.com/episodes/209-introducing-devise
Authlogic: https://github.com/binarylogic/authlogic and
http://railscasts.com/episodes/160-authlogic

For any future viewers: if it appears that Rails is receiving something different for the Authorization header than you think you are sending, check to ensure you aren't using .htaccess/.htpasswd files. The browser apparently remembers the credentials and it overrides anything you send!
Just spent like 3 hours trying to figure this out. I sure hope it helps someone else down the line :-)

Related

Is there a working Devise/Omniauth/Oauth2 interface with Wordpress?

I'm trying to use Wordpress to authenticate my Rails application users with the following Omniauth plugin:
https://github.com/jwickard/omniauth-wordpress-oauth2-plugin
I've followed the instructions carefully, and duplicated his example, but it doesn't work. Which is really surprising, because there's just not that much to it. However, I've found several threads on here like this one, that talk about the same problem I have:
Devise, OmniAuth & Facebook: "Not found. Authentication passthru."
When I click the "Sign in with Wordpress" (which is automatically inserted in my Devise sign-in page), I simply get a 404, with "Not found. Authentication passthru," which is a stub response for the passthru method in the Devise sources. Routes rake just fine, and look like all the examples. I've restarted the server dozens of times.
Despite several attempts to set site: and authorization_url: in the client_options, in both my devise config, and the plugin sources directly, my app never redirects to my Wordpress site. I've got about 10 hours into screwing around with this, and I don't know what's supposed to be responsible for actually sending me to the site to DO the authentication. Further complicating figuring this out is that almost every reference I can find to redirection in this sort of scenario is about the callback to my Rails site, after the authentication is done. I can never get that far.
There's a lot of confusing references to this problem on SO and the internet at large. There's some talk about making a "real" passthru or action_missing method in my OmniauthCallbacksController, but that seems to be outdated information. There's a lot of talk about making sure that I've defined the omniauth_providers in my User model, and I've tried it with and without, but that's not in any of the documentation about this plugin.
I've been trying to look at the plugin's strategy file, and it just doesn't seem that different than other Oauth2 plugins for Facebook, Google, or whatever, that I've been reviewing. It seems like there's a very simple thing I need to set in order to make this all work, but I can't find it, and I've run out of ideas on how to track it down. The plugin was last updated about 5 years ago. Does anyone still use this with modern versions of Devise, Omniauth, and Wordpress? If so, is there a clue you can give me to make it work?
I finally started tracing through the gem, and found where it was failing. As I searched on those further problems, I finally figured out that there were about 25 forks of this gem, and many of them addressed the problem. I used this particular one: https://github.com/bkno/omniauth-wordpress-oauth2-plugin

Rails: stateless authentication with Devise

I have a working devise user with connected omniauth identity and everything works fine. The problem is that I want to disable sessions and use stateless token authentication. I tried simple_token_authentication and devise_token_auth and experienced a lot of problems with both. Simple token auth was easy to add and I set config.skip_session_storage = [:token_auth], but I still had session in my requests and no tokens.
With devise_token_auth everything got messy and I wasn't able to get it to work. I had problems with duplicated routes. Disabling devise_for helped, but this way I disabled everything I have done so far and even then it would not work.
I don't know how to approach this problem, whether to use one of these gems or disable sessions and write some tokens handling manually (but using a gem seems safer to me). I don't want to set everything up from the beginning, but maybe it is the only way.
I know that my questions seems a bit imprecise, but I am really confused now. I will post some code parts or error messages if you need something specific.

Facebook Login w/ Devise & Omniauth-Facebook has CORS Error?

I've been trying to implement basic facebook login into a rails app that already users devise via their tutorial on integrating omniauth-facebook: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
However, as far as I can tell after following along with the full setup, I'm stuck with the error in the js console:
XMLHttpRequest cannot load https://www.facebook.com/dialog/oauth?client_id=...
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:3000' is therefore not allowed access.
I've been stuck all day trying to resolve this, via what is my understanding to be a CORS issue.
However, I've had no success with rack-cors (https://github.com/cyu/rack-cors) and attempting to manually set the headers in the application controller hasn't yielded any results.
I'm unsure where to proceed from here, and somewhat baffled that I haven't come across a solution yet for what must be a pretty standard implementation.
Any help or ideas would be greatly appreciated!
Thanks :)
Try restarting your server. :P
If that doesn't work, install the rack-cors gem and follow the relevant config/application.rb modifications then restart your server.
https://github.com/cyu/rack-cors

authentication token verification for AJAX/xhr requests in rails

Seems that Rails has by default stopped checking authentication_token for ajax requests. per code request.xhr? is not checked anymore. It was not ignored in rails 2.3.2 but since 2.3.8 is ignored. Wanted to know what is the reason for this change and what uis the way to turn it on.
You need now check the format of the request to know what your want really served. It's really better than to know if you request is or not in xhr. This trick was bad because can be not support by all Javascript script.

Kerberos Authentication in Rails

Is it possible to use kerberos to authenticate a user under rails? Are there any existing plugins (preferably which extend authlogic's functionality) to do this?
I'm hoping someone else will come around and show us a pure Rails way of doing this. But until then, the easiest way to get things going is by letting your web server handle it.
On that note, I'm going to assume Apache. If this is not the case, please tell us a bit more about your set-up.
Proper Kerberos authentication in browsers is done in the HTTP protocol itself, much like Basic or Digest authentication. In Apache, this can be done with mod_kerb_auth.
Then the next step is to find out how to retrieve the username. It depends a bit on the interface you're using between the web-server and your Rails app. This could be Passenger, FastCGI, mod_proxy, etc.
Many will follow the original CGI standard to some degree, passing along a bunch of environment variables with the request. Try the following in your controller:
username = request.env['REMOTE_USER']
That's as far as I can take you. I've never used authlogic. Though, by the looks of it, it supports plugins. Perhaps you can create a new one that blindly trusts REMOTE_USER if it is set?
If you wanto to switch from authlogic to Omniauth for your authentication there's a module for it:
https://github.com/jgraichen/omniauth-kerberos

Resources