Faking Basic Auth

zakifataya · February 9, 2007, 2:35am

I have a Rails app that shows catalogs of images. The images are
generated by a CGI that requires REMOTE_USER to be set. This is
accomplished by protecting the CGI folder with Basic Auth.

I can see how to implement Basic Auth in Rails, and this looks like it
will then allow Rails to reference the images (as long as my
authenticated Rails user matches a realm user). The problem is, I’d like
the option of emailing direct links to some images, so that the
recipient can click on a url to view a single image (this can be inside
a Rails template). In this case, I don’t want the user to be challenged

some component of the url can be decoded to determine who the user is.

Is there any way to “silently” set the authentication credentials, or
set the REMOTE_USER on the fly so the CGI sees it and executes?

zakifataya · February 9, 2007, 5:08am

Brian A. wrote:

Is there any way to “silently” set the authentication credentials, or
set the REMOTE_USER on the fly so the CGI sees it and executes?

Write a controller that uses send_file in response to one of these
special
URLs. Put a key in the URL that you retire after some time limit, such
as 24
hours. Then remove the login requirements for that controller.

–
Phlip
Redirecting... ← NOT a blog!!!

zakifataya · February 9, 2007, 3:00am

On 2/8/07, Brian A. [email protected] wrote:

recipient can click on a url to view a single image (this can be inside
a Rails template). In this case, I don’t want the user to be challenged

some component of the url can be decoded to determine who the user is.

Is there any way to “silently” set the authentication credentials, or
set the REMOTE_USER on the fly so the CGI sees it and executes?

Yes, to preset basic authentication you can do this as part of the url
like
so

http://user:[email protected]/foo/bar

The user and password will be used for basic authentication. This is
part of
the http spec, so it is supported by all major browsers.

So you can email out links with the authentication in it and they should
work as if they had authenticated manually. You can also use these as
links
bookmarks (of course they are not securely stored since anyone can click
on
them to use).

Blessings,

Jeff

–
Jeff B., MasterView core team
Inspired Horizons Ruby on Rails Training and Consultancy
Next Ruby on Rails plus JRuby workshop Feb 22-24 St. Louis, MO
http://inspiredhorizons.com/training/rails/index.html
Limited seating, register now!