Re: how to encrypt the password/login for the blog.rb example?

2008-03-12 Thread Jonas Pfenniger 
2008/2/25, Albert Ng [EMAIL PROTECTED]:
 I'll keep that in mind.

 As an aside, using this gem, how would I go about changing the user without
 closing the browser or raising «Unauthorized»?  That last pops up a log-in
 window that can't authorize (have to press escape).

There is no perfect solution. Here is what I use in jQuery :

// idea from : http://nanodocumet.homedns.org/rest/
  $('#header A.disconnect').click(function() {
try {
  if ($.browser.msie) {
// IE clear HTTP Authentication
document.execCommand(ClearAuthenticationCache);
  } else {
var xhr = new XMLHttpRequest();
xhr.open(GET, /logout, true, logout, logout);
xhr.send(null);
xhr.abort();
  }
} catch(e) { error(e) }
  })


-

* the /logout url should respond Unauthorized for the logout:logout credential
* the xhr.open is called with async to true, otherwise the browser
shows the login window

-- 
Cheers,
  Jonas
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: how to encrypt the password/login for the blog.rb example?

2008-02-25 Thread Manfred Stienstra 

On Feb 23, 2008, at 7:10 PM, Brendan Taylor wrote:

 I've attached a module for doing digest auth with Camping. It uses the
 httpauth gem.

You have to take care when using httpauth because it doesn't do any  
internal validation of the digest authorization request, so I think it  
might be vulnerable to replay attacks or something.

Manfred
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: how to encrypt the password/login for the blog.rb example?

2008-02-25 Thread Aria Stewart 

On Feb 25, 2008, at 2:21 PM, Albert Ng wrote:

 I'll keep that in mind.

 As an aside, using this gem, how would I go about changing the user  
 without closing the browser or raising «Unauthorized»?  That last  
 pops up a log-in window that can't authorize (have to press escape).

You can't. Browsers really really really should include a logout  
button, and they don't. File bugs with me!
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: how to encrypt the password/login for the blog.rb example?

2008-02-25 Thread Albert Ng 
On Mon, Feb 25, 2008 at 6:24 PM, Aria Stewart [EMAIL PROTECTED] wrote:


 On Feb 25, 2008, at 2:21 PM, Albert Ng wrote:

  I'll keep that in mind.
 
  As an aside, using this gem, how would I go about changing the user
  without closing the browser or raising «Unauthorized»?  That last
  pops up a log-in window that can't authorize (have to press escape).

 You can't. Browsers really really really should include a logout
 button, and they don't. File bugs with me!

:)

After cursing at @state, wondering why it wasn't saving before I «raise
Unauthorized» (for 3 hours *rolleyes*) , I've finally gotten the expected
behavior by creating a «Loginstate» table that belongs to «User», calling
save explicitly, and working some logic with that.

It's horribly expensive on the database, but it's ok for my purposes,
because the app is only accessible locally.

Another thing is that I changed password_for_user to record_for_user, as I'm
using @user for an AR record, and the gem kept turning it into a string :P

P.S. http://code.whytheluckystiff.net/camping/ticket/129 is very annoying,
they changed mongrel/camping again (for the worse)

Module Ctd:Models
  class Loginstate  Base
belongs_to :users
  end

  ---

  create_table :ctd_loginstates do |t|
t.column :user_id, :integer, :null = false
t.column :reauthenticate, :boolean, :default = false
  end
  user.create_loginstate

---
Module Ctd:Controlers
  class CloseSession
def get
  authenticate
  @user.loginstate.reauthenticate = true
  @user.loginstate.save
  redirect R(Index)
end
  end
---
module Ctd
  include Camping::DigestAuth
  REALM = ctd

  module_function

  def record_for_user(username)
include Ctd::Models
user = User.find( :first, :conditions = ['username = ?', username])
user = User.find( :first, :conditions = ['username = ?', 'dummy'])
unless user
if user.loginstate.reauthenticate == true
  user.loginstate.reauthenticate = false
  user.loginstate.save
  raise Unauthorized
end if user
return user
  end
end
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: how to encrypt the password/login for the blog.rb example?

2008-02-23 Thread Brendan Taylor 
On Fri, Feb 22, 2008 at 07:39:59PM +0100, Manfred Stienstra wrote:
 On Feb 22, 2008, at 7:28 PM, Albert Ng wrote:
 
  looking at the blog.rb example, I see a very nice example of  
  authentication, but the username/password is transmitted in clear  
  text form
 
  My question then is, Is there an easy way of encrypting that  
  information?
 
 Well, the easiest way is to do logins over SSL. A second option could  
 be HTTP Digest Authentication, but browser support for that is flackey  
 to say the least. 

I've been using Digest myself, can't say I've run into any
problems with browser support. Browser UI for it isn't great, of
course.

I've attached a module for doing digest auth with Camping. It uses the
httpauth gem.

Use it something like this:

  Camping.goes :Foo

  module Foo
include Camping::DigestAuth

REALM = foo

module_function

def password_for_user(username)
  # returns the correct password for user username
  # or nil if the user doesn't exist
end
  end

At the beginning of every controller method you want to be
authenticated, call the 'authenticate' method.
require httpauth

module Camping
  module DigestAuth
include HTTPAuth::Digest

class Unauthorized  RuntimeError; end

# call this at the start of methods that require authentication
def authenticate
  raise Unauthorized unless @user
end

def service(*a)
  app = Kernel.const_get(self.class.name.gsub(/^(\w+)::.+$/, '\1'))
  auth_h = @env[HTTP_AUTHORIZATION]

  begin
if auth_h
  credentials = Credentials.from_header(auth_h)
  user = credentials.h[:username]

  begin
pass = app.password_for_user(user)
  rescue NameError
raise define #password_for_user on your app module
  end

  if pass and
  credentials.validate(:password = pass, :method = @method.upcase)
@user = user

auth_info = AuthenticationInfo.from_credentials credentials
@headers[Authentication-Info] = auth_info.to_header
  end
end
  rescue HTTPAuth::UnwellformedHeader
# they probably sent eg. a Basic Authenticate header
# just ignore it instead of exploding
  end

  super(*a)
rescue Unauthorized
  @status = 401
  challenge = Challenge.new :realm = app::REALM, :qop = [auth]
  @headers[WWW-Authenticate] = challenge.to_header

  @body = authentication_failed

  self
end

# override this for a nicer error message
def authentication_failed
  @headers[Content-Type] = text/plain

  you are not authorized.
end
  end
end


pgpXyWjZylgl6.pgp
Description: PGP signature
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list

Re: how to encrypt the password/login for the blog.rb example?

2008-02-22 Thread Manfred Stienstra 
On Feb 22, 2008, at 7:28 PM, Albert Ng wrote:

 looking at the blog.rb example, I see a very nice example of  
 authentication, but the username/password is transmitted in clear  
 text form

 My question then is, Is there an easy way of encrypting that  
 information?

Well, the easiest way is to do logins over SSL. A second option could  
be HTTP Digest Authentication, but browser support for that is flackey  
to say the least. You can try digest auth, it's in Apache and probably  
in other webservers.

 If not, will I have to go the https way with apache, or is there a  
 ruby http server that can do that?

WEBRick can do SSL, see http://www.webrick.org/

Manfred
___
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list