Img source: microcosm.com

You may have cases when you may need to do some authorizations for certain pages, so that they cannot be accessed by unauthorized clients. There are many authorization ways that you can use in a Ruby on Rails application. In this article, I will mention one very simple, yet not that much famous method that comes implemented and ready to be used each time you create a new Rails application.

ActionController::HttpAuthentication::Basic has a method called http_basic_authenticate_with that you may usually need to invoke at the top lines of your controller.

Rails is an open source framework so we are thankfully able to see the implementation and the work that is being done by this method:

def http_basic_authenticate_with(options = {})
  before_action(options.except(:name, :password, :realm)) do
    authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
      # This comparison uses & so that it doesn't short circuit and
      # uses `variable_size_secure_compare` so that length information
      # isn't leaked.
      ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
        ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
    end
  end
end

Let’s take an example of a DocumentsController. I have two methods that render views. I want to display a list of documents to anyone regardless of whether they are already authenticated or not. I want to restrict the privileges to modify documents to only the users that are authorized. Namely, they know a name and a password that I have set in the beginning that can be used.

http_basic_authenticate_with name: "fatos", password: "secure_password", except: :index

I should certainly use parametrized values that are set at config files, but for the purpose of this example, I am using actual values at the time this method is being invoked. Yes, I know that is not the most difficult to be found out and secured password on the planet, but it is only used for this article and maybe a few grandmas out there.

class DocumentsController < ApplicationController
   http_basic_authenticate_with name: "fatos", password: "secure_password", except: :index

   def index
     render plain: "Everyone can see me! Yes all of you"
   end

   def edit
     render plain: "I'm only accessible if you know the password"
   end
end

That single line of code calls the method that protects your documents from being modified by people you do not want. That’s really awesome and time saving, so you do not have to write everything by yourself.

If you need to do this type of authorization for many controllers, then you can simply declare it at ApplicationController:

class ApplicationController < ActionController::Base
  http_basic_authenticate_with name: "fatos", password: "secure_password", except: :index
  protect_from_forgery with: :exception
end

That’s all you need to do to use this incredibly easy-to-use way of authorization for your application.

Here you can check out the other methods that are included in this Rails module.