HTTP [Basic and Token] authentication

In this post I show you how to implement HTTP-authentication between the client (JavaScript) and the server (RubyOnRails).

Bit of theory

1. When an unauthenticated client sends request to the protected resource, the server responses with an 401 Unauthorized HTTP status and adds a WWW-Authenticate header, which contains the authentication scheme and parameters.
2. When a client sends a request with an Authorization header, the server checks the credentials in this header and response with an 200 OK or with an 403 Forbidden HTTP status.

Bit of practice

First, we need two models: User и AuthToken.

class User < ApplicationRecord has_secure_password has_many :auth_tokens end class AuthToken < ApplicationRecord belongs_to :user before_create :set_value def set_value self.value = SecureRandom.hex(32) end end 

Authenticate with HTTP Basic

There are some useful modules for HTTP Authentication in RubyOnRails. Lets add one of them to our controller.

class ApplicationController < ActionController::API include ActionController::HttpAuthentication::Basic::ControllerMethods end 

Then we create a controller for user authentication. After receiving the POST-request, it checks user credentials. If successful, it sends the token to the user. A little later we do the Token authentication using the one.

class AuthenticationsController < AplicationController def create authenticate_with_http_basic do |login, password| user = User.find_by_login(login) if user&.authenticate(password) token = user.auth_tokens.create! render json: { token: token.value } and return end end render status: :unauthorized end end 

Lets create a JavaScript method which helps us get this token.

function authenticate(login, password) { const credentials = window.btoa(`${login}:${password}`); const headers = {}; headers[‘Authorization’] = `Basic ${credentials}`; return fetch(‘/authentications’, {method: ‘post’, headers} ).then(...) } 

Please note how we send the credentials. There is a rule for string formatting:

scheme + space + login + ‘:’ + password

And all is encoded by base64, except the name of the scheme.

Authenticate with HTTP Token

Well we successfully passed Basic authentication and got the token. Lets add Token authentication.

class ApplicationController < ActionController::API include ActionController::HttpAuthentication::Basic::ControllerMethods include ActionController::HttpAuthentication::Token::ControllerMethods attr_reader :current_user private def authenticate_by_token authenticate_or_request_with_http_token do |http_token| token = AuthToken.find_by_value(http_token) @current_user = token.user if token end end 

And apply it to a controller.

class UsersController < AplicationController before_action :authenticate_by_token def create ... end end 

Now to get access to the protected resource, just add the Authorization header.

headers[‘Authorization’] = `Token ${token}`; 

Links
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
https://api.rubyonrails.org/files/actionpack/lib/action_controller/metal/http_authentication_rb.html