· 7 years ago · Aug 24, 2018, 10:24 AM
1Using plain text passwords with authenticate_or_request_with_http_digest
2class ApplicationController < ActionController::Base
3 protect_from_forgery
4
5 USERS = { "sam" => "ruby" }
6
7 before_filter :authenticate
8
9private
10 def authenticate
11 authenticate_or_request_with_http_digest do |username|
12 USERS[username]
13 end
14 end
15end
16
17def validate_digest_response(request, realm, &password_procedure)
18 secret_key = secret_token(request)
19 credentials = decode_credentials_header(request)
20 valid_nonce = validate_nonce(secret_key, request, credentials[:nonce])
21
22 if valid_nonce && realm == credentials[:realm] && opaque(secret_key) == credentials[:opaque]
23 password = password_procedure.call(credentials[:username])
24 return false unless password
25
26 method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
27 uri = credentials[:uri][0,1] == '/' ? request.fullpath : request.url
28
29 [true, false].any? do |password_is_ha1|
30 expected = expected_response(method, uri, credentials, password, password_is_ha1)
31 expected == credentials[:response]
32 end
33 end
34 end