Using Htaccess Password Protection on Rails

using htaccess password protection on rails?

Rails has a built-in helper for this, you could place this in your application controller:

protected
  def authenticate
    authenticate_or_request_with_http_basic do |username, password|
      username == "admin" && password == "test"
    end
  end

Then use a before_filter on any controllers you want to protect (or just stick it in the application controller to block the whole site):

before_filter :authenticate

This method works on Nginx as well as Apache, which is an added bonus. It doesn't, however, work if you have full page caching enabled - as the visitor never hits the Rails stack; it won't kick in.

Edit
Just noticed that you specified the /admin route. All my admin controllers inherit from an AdminController. You could set yours up like so:

/app/controllers/admin/admin_controller.rb

class Admin::AdminController < ApplicationController
  before_filter :authenticate
  protected
    def authenticate
      authenticate_or_request_with_http_basic do |username, password|
      username == "admin" && password == "test"
    end
  end
end

Then have all your controllers extend the admin controller, eg:

class Admin::ThingsController < Admin::AdminController

My routes are setup like so:

map.namespace :admin do |admin|
    admin.resources :things
end

Hope that helps.

Mimic .htaccess or some other type of password protecting with webrick

You can restrict access by using Rack based basic auth or IP white listing

Basic Auth

Add the following to your config/environments/development.rb

config.middleware.use Rack::Auth::Basic, "Beta Access" do |username, password|
  'secret' == password
end

IP White Listing

I found two gems for this purpose:

rack-auth-ip

rack-ip-whitelist

I would use rack-auth-ip as it has been there for some time. Add the following to your config/environments/development.rb

config.middleware.use Rack::Auth::IP, %w( YourIPAddress )

Now, the instance is accessible only if the originating IP is in the white list.

.htaccess: if statement to disable password protection if get parameter is set

<If "%{QUERY_STRING} != /^access_token$/">

The Internal Server Error might be caused by the use of the != (not-equal) operator as used with strings instead of the !~ (not-match) operator to compare against the regex. For example, it should read:

 <If "%{QUERY_STRING} !~ /^access_token$/">

Although this is naturally successful when the QUERY_STRING is not exactly access_token. The access token value is omitted. So, maybe you also need /^access_token=12345$/.

Can I protect with a .htaccess file some routes with sinatra?

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/file/.htpasswd

<Files "protected.html">
Require valid-user
</Files>

If you want to use Sinatra for Authentication, check out this faq.

Password protecting a rails staging environment

bumping this to help others, like myself as I read this before settling on an similar, but cleaner solution.

# config/environments/staging.rb

MyApp::Application.configure do
  config.middleware.insert_after(::Rack::Lock, "::Rack::Auth::Basic", "Staging") do |u, p|
    [u, p] == ['username', 'password']
  end

 #... other config
end

I wrote a short blog post about it.

Rake tests all fail after htaccess implementation

You can change your tests by including the Basic authentication, see this:

def test_should_get_index
  @request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64::encode64("username:password")
  get :index
  assert_response :success
  assert_not_nil assigns(:articles)
end

Source: http://flip.netzbeben.de/2008/06/functional-test-for-http-authentication-in-rails-2/

---

Related Topics