Home/ Questions/Q 9194025
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T21:18:20+00:00

I currently have a before_filter in my ApplicationController which is used for credential verification.

  • 0

I currently have a before_filter in my ApplicationController which is used for credential verification. I also want to be able to verify user credentials when I access the url directly (i.e., from a script and not from a browser login form/session). Are there issues with accepting user credentials via a GET request?

application_controller.rb

before_filter :login_required

def login_required
    reset_session if session[:last_seen] < Rails.configuration.admin_timeout.minutes.ago rescue nil
    return true if session[:user]
    if (!params[:login].nil? && !params[:password].nil?) && session[:user] = User.authenticate(params[:login], params[:password])
        return true
    else
        render :nothing => true, :status => 401
        return false
    end
    flash[:alert] = 'Please login to continue'
    redirect_to login_url and return false
end

If it’s not an acceptable practice I’d like to only be able to do this on certain ‘safe’ controller actions. So for example:

product_controller.rb

before_filter :do_something
permit_login_via_get :only => [:index]

def index
    # Do some stuff in here. This should be accessible via http://mydomain.com/products?login=admin&password=yeahlikeidtellyouthat
end

So now my login_requred function would need to be modified so that the ‘permit_login_via_get’ method works with it.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok so I gave it some thought and decided it would be best to create API keys for each of my applications and with the Net::HTTP request, set a custom header which contained the API key. That way there are no user credentials that are sent through the URL. Now as to what is ‘secure’ or not about this method or what I need to do to MAKE it secure is something else. But here’s how I’ve done it so far and it seems to be working:

    application.rb (Manager application)

    # API Keys
config.api_key = "somelongstringofcharacters"
config.pos_api_key = "anotherlongstringofcharacters"
config.website_api_key = "yetANOTHERlongstringofcharacters"

    application.rb in the POS and Website apps are likewise to the above example.

    application_controller.rb (all applications)

    before_filter :login_required

def login_required
    reset_session if session[:last_seen] < Rails.configuration.admin_timeout.minutes.ago rescue nil
    return true if session[:user]
        unless request.headers["X-API-Key"].nil?
        if request.headers["X-API-Key"] == Rails.configuration.api_key
            return true
        else
            render :nothing => true, :status => 401
            return false
        end
        end
    flash[:alert] = 'Please login to continue'
    redirect_to :controller => :users, :action => :login
    return false
end

    This way all methods are private (except those that have skip_before_filter :login_required) and are accessible if you are logged in over a session using a login/password combination through the use of a form, OR if the request you’ve made has a “X-API-Key” header with the correct application key.

    The following is an example Rake task which is run through the Manager app; it requests a JSON file from the POS server which is protected by the login_required method:

    desc "Test Task so that larger projects don't need to be run through"
task :testing => :environment do

    require "net/http"
    require "uri"

    url = URI.parse("http://myposdomain/items.json?all=true&category=Wines")
    req = Net::HTTP::Get.new(url.path)
    req.add_field("X-API-Key", Rails.configuration.pos_api_key)
    res = Net::HTTP.new(url.host, url.port).start do |http|
    http.request(req)
    end
    myposdomain_wines = res.body

end
    • 0