aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/http_authentication.rb
Commit message (Collapse)AuthorAgeFilesLines
* use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-221-1/+6
| | | | | | this will avoid timing attacks against applications that use basic auth. CVE-2015-7576
* Merge pull request #14212 from tylerhunt/fix-token-regexSean Griffin2015-12-151-1/+1
|\ | | | | | | Handle tab in token authentication header.
| * Handle tab in token authentication header.Tyler Hunt2014-02-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | The HTTP spec allows for LWS to precede the header content, which could include multiple SP and HT characters. Update the regex used to match the Token authorization header to account for this, instead of matching on a single SP. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html and http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html for the relevant parts of the specification.
* | Use `Mime[:foo]` instead of `Mime::Type[:FOO]` for back compatJeremy Daer2015-10-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries that support multiple Rails versions would've had to feature-detect whether to use `Mime::Type[:FOO]` or `Mime::FOO`. `Mime[:foo]` has been around for ages to look up registered MIME types by symbol / extension, though, so libraries and plugins can safely switch to that without breaking backward- or forward-compatibility. Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup by type or extension, so it's not available as `Mime[:all]`. We use it internally as a wildcard for `respond_to` negotiation. If you use this internal constant, continue to reference it with `Mime::ALL`. Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
* | Document Bearer prefix for Authorization header [ci skip]Eliot Sykes2015-09-231-5/+7
| |
* | Updated Mime Negotiations docs [ci skip]amitkumarsuroliya2015-09-231-2/+2
| | | | | | As we all know that Accessing mime types via constants is deprecated. Now, we are using `Mime::Type[:JSON]` instead of `Mime::JSON`
* | add a method for getting the http auth saltAaron Patterson2015-08-291-2/+2
| |
* | env to get_header conversionAaron Patterson2015-08-291-1/+1
| |
* | Authorization scheme should be case insensitive. Fixes #21199Dennis Suratna2015-08-111-1/+1
| |
* | Stop using deprecated `render :text` in testPrem Sichanugrist2015-07-171-1/+1
| | | | | | | | | | | | | | | | | | This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
* | Add missing "header" word in documentation of Token#authentication_request ↵Prathamesh Sonpatki2015-06-141-1/+1
| | | | | | | | [ci skip]
* | allow `Bearer` as well as `Token`phoet2015-06-011-1/+1
| |
* | Give authentication methods the ability to customize response message.Keenan Brock2015-05-031-14/+16
| | | | | | | | Digest allowed the messages. Add the same feature to basic and token
* | Tiny optimization of http auth Realm unquotingStrech (Sergey Fedorov)2015-04-141-2/+2
| |
* | Freeze static arguments for gsubbrainopia2015-04-021-2/+2
| |
* | Prefer string patterns for gsubbrainopia2015-04-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://github.com/ruby/ruby/pull/579 - there is a new optimization since ruby 2.2 Previously regexp patterns were faster (since a string was converted to regexp underneath anyway). But now string patterns are faster and better reflect the purpose. Benchmark.ips do |bm| bm.report('regexp') { 'this is ::a random string'.gsub(/::/, '/') } bm.report('string') { 'this is ::a random string'.gsub('::', '/') } bm.compare! end # string: 753724.4 i/s # regexp: 501443.1 i/s - 1.50x slower
* | Doc fix [ci skip]Sushruth Sivaramakrishnan2015-03-051-1/+1
| |
* | Fixed undefined method error when doing authentication.Zhang Kai Yu2015-01-241-2/+2
| |
* | Minor documentation edits [ci skip]Robin Dupret2014-12-281-1/+1
| |
* | Update example test documentationBen Prew2014-12-281-4/+2
| | | | | | Example does not work with session headers, should use request headers. [ci skip]
* | Merge pull request #17186 from tgxworld/header_authentication_tokenMatthew Draper2014-11-271-2/+9
|\ \ | | | | | | | | | Allow authentication header to not have to specify 'token=' key.
| * | Allow authentication header to not have to specify 'token=' key.Guo Xiang Tan2014-10-101-2/+9
| | | | | | | | | | | | Fixes: https://github.com/rails/rails/issues/17108.
* | | Wrap code snippets in +, not backticks, in sdocclaudiob2014-11-201-3/+3
|/ / | | | | | | | | | | | | | | I grepped the source code for code snippets wrapped in backticks in the comments and replaced the backticks with plus signs so they are correctly displayed in the Rails documentation. [ci skip]
* | Improve token_and_options regex and testXinjiang Lu2014-07-011-1/+1
| | | | | | | | add a test case to test the regex for the helper method raw_params
* | Fix parsed token value with header `Authorization token=`.Larry Lv2014-06-131-2/+2
| |
* | Set the status before of setting the response bodyGuillermo Iguaran2014-06-131-2/+2
| | | | | | | | | | | | | | The 401 status should be set first because setting the response body in a live controller also closes the response to further changes. Fixes #14229.
* | Merge pull request #11346 from tomykaira/fix_10257Rafael Mendonça França2014-05-201-2/+14
|\ \ | | | | | | Check authentication scheme in Basic auth
| * | Run login_procedure only when the auth_scheme is validtomykaira2013-07-081-7/+14
| | |
| * | Check authentication scheme in Basic authtomykaira2013-07-071-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257.
* | | Replace trivial regexp with string or index, twice as fastKelley Reynolds2014-03-281-1/+1
| |/ |/|
* | Update Docs in favor to use render plain instead of text optionrobertomiranda2014-02-181-6/+6
|/ | | | ref #14062
* Prefer find_by over dynamic finders in rdocSam Ruby2013-04-021-2/+2
|
* Digest auth should not 500 when given a basic header.Brad Dunbar2013-03-181-0/+1
|
* Revert "Merge pull request #8989 from robertomiranda/use-rails-4-find-by"Guillermo Iguaran2013-01-181-2/+2
| | | | | This reverts commit 637a7d9d357a0f3f725b0548282ca8c5e7d4af4a, reversing changes made to 5937bd02dee112646469848d7fe8a8bfcef5b4c1.
* User Rails 4 find_byrobertomiranda2013-01-181-2/+2
|
* Namespace HashWithIndifferentAccessAkira Matsuda2013-01-071-1/+1
|
* "warning: ambiguous first argument; put parentheses or even spaces"Akira Matsuda2012-12-241-1/+1
|
* Refactoring the token_and_options method to fix bugsKurtis Rainbolt-Greene2012-12-151-11/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding a test for the equal trun bug Adding a test for the after equal trunc bug Adding a test for the slash bug Adding a test for the slash quote bug Adding a helper method for creating a sample request object with token Writing a method to create params array from raw params Writing a method to rewrite param values in the params Writing a method to get the token params from an authorization value Refactoring the token_and_options method to fix bugs Removing unnessecary test A constant for this shared regex seemed appropriate Wanting to split up this logic Adding small documentation pieces
* update documentation and code to use _action callbacksFrancesco Rodriguez2012-12-071-5/+5
|
* Allow users to change the default salt if they want, shouldn't be necessarySantiago Pastorino2012-11-031-2/+3
|
* Use derived keys everywhere, http_authentication was missing itSantiago Pastorino2012-11-031-3/+2
|
* Multiple changes to 1,9 hash syntaxAvnerCohen2012-10-271-10/+10
|
* Merge branch 'master' of github.com:lifo/docrailsVijay Dev2012-08-041-1/+1
|\ | | | | | | | | | | Conflicts: activemodel/lib/active_model/secure_password.rb activerecord/lib/active_record/associations/collection_proxy.rb
| * use 'HTTP_AUTHORIZATION' instead of :authorization as key when dealing with ↵Francesco Rodriguez2012-07-271-1/+1
| | | | | | | | HTTP Token authentication in integration tests
* | Merge pull request #7240 from steveklabnik/fix_2301Rafael Mendonça França2012-08-021-1/+1
|\ \ | | | | | | Fix for digest authentication bug - issue #2301 in rails/rails
| * | Fix for digest authentication bug - issue #2301 in rails/railsArthur Smith2012-08-021-1/+1
| | |
* | | load active_support/core_ext/object/blank in active_support/railsXavier Noria2012-08-021-1/+0
|/ /
* / * Do not convert digest auth strings to symbols. CVE-2012-3424Aaron Patterson2012-07-261-2/+2
|/ | | | | Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb
* Don't raise an error if http auth token isn't well formattedPiotr Sarnacki2012-07-111-4/+6
| | | | | | | | | | | | | | When someone sends malformed authorization header, like: Authorization: Token foobar given token should be just ignored and resource should not be authorized, instead of raising error. Before this patch controller would return 401 header only for well formed tokens, like: Authorization: Token token=foobar and would return 500 in former case.
* moar copy edits [ci skip]Vijay Dev2012-06-141-2/+1
|