diff options
| author | José Valim <jose.valim@gmail.com> | 2010-04-05 10:52:47 +0200 |
|---|---|---|
| committer | José Valim <jose.valim@gmail.com> | 2010-04-05 12:00:24 +0200 |
| commit | 6690d662920f0db854f7303cd2a5a36c72299199 (patch) | |
| tree | 9e531ce7d2945b5eb0ce06e63277cc06361b37c0 /actionpack/lib/action_controller/metal/http_authentication.rb | |
| parent | 5c8b4c6e231257bc08d32722e098927885e5e74d (diff) | |
| download | rails-6690d662920f0db854f7303cd2a5a36c72299199.tar.gz rails-6690d662920f0db854f7303cd2a5a36c72299199.tar.bz2 rails-6690d662920f0db854f7303cd2a5a36c72299199.zip | |
Rename config.cookie_secret to config.secret_token and pass it as configuration in request.env. This is another step forward removing global configuration.
Diffstat (limited to 'actionpack/lib/action_controller/metal/http_authentication.rb')
| -rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 424828f7e8..6bd6c15990 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -159,7 +159,7 @@ module ActionController # Authenticate with HTTP Digest, returns true or false def authenticate_with_http_digest(realm = "Application", &password_procedure) - HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure) + HttpAuthentication::Digest.authenticate(request, realm, &password_procedure) end # Render output including the HTTP Digest authentication header @@ -169,14 +169,15 @@ module ActionController end # Returns false on a valid response, true otherwise - def authenticate(secret_key, request, realm, &password_procedure) - request.authorization && validate_digest_response(secret_key, request, realm, &password_procedure) + def authenticate(request, realm, &password_procedure) + request.authorization && validate_digest_response(request, realm, &password_procedure) end # Returns false unless the request credentials response value matches the expected value. # First try the password as a ha1 digest password. If this fails, then try it as a plain # text password. - def validate_digest_response(secret_key, request, realm, &password_procedure) + def validate_digest_response(request, realm, &password_procedure) + secret_key = secret_token(request) credentials = decode_credentials_header(request) valid_nonce = validate_nonce(secret_key, request, credentials[:nonce]) @@ -225,7 +226,7 @@ module ActionController end def authentication_header(controller, realm) - secret_key = controller.config.secret + secret_key = secret_token(controller.request) nonce = self.nonce(secret_key) opaque = opaque(secret_key) controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}") @@ -238,6 +239,12 @@ module ActionController controller.status = 401 end + def secret_token(request) + secret = request.env["action_dispatch.secret_token"] + raise "You must set config.secret_token in your app's config" if secret.blank? + secret + end + # Uses an MD5 digest based on time to generate a value to be used only once. # # A server-specified data string which should be uniquely generated each time a 401 response is made. |