Camping list - Feb 2008 - how to "encrypt" the password/login for the blog.rb example?

Greetings all

I find myself in need of making a little 3 page app that will run scripts,
and my first thought was Camping!

looking at the blog.rb example, I see a very nice example of authentication,
but the username/password is transmitted in clear text form

My question then is, Is there an easy way of "encrypting" that
information?

If not, will I have to go the https way with apache, or is there a ruby http
server that can do that?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/camping-list/attachments/20080222/e9e90dc0/attachment.html

On Feb 22, 2008, at 7:28 PM, Albert Ng wrote:
> looking at the blog.rb example, I see a very nice example of  
> authentication, but the username/password is transmitted in clear  
> text form
>
> My question then is, Is there an easy way of "encrypting" that  
> information?
Well, the easiest way is to do logins over SSL. A second option could  
be HTTP Digest Authentication, but browser support for that is flackey  
to say the least. You can try digest auth, it''s in Apache and probably
in other webservers.
> If not, will I have to go the https way with apache, or is there a  
> ruby http server that can do that?
WEBRick can do SSL, see http://www.webrick.org/

Manfred

Thanks a bunch, that helps a lot.

As an aside, there''s no mention of this mailing list on the camping
wiki

On Fri, Feb 22, 2008 at 2:39 PM, Manfred Stienstra <manfred at gmail.com>
wrote:
> On Feb 22, 2008, at 7:28 PM, Albert Ng wrote:
>
> > looking at the blog.rb example, I see a very nice example of
> > authentication, but the username/password is transmitted in clear
> > text form
> >
> > My question then is, Is there an easy way of "encrypting"
that
> > information?
>
> Well, the easiest way is to do logins over SSL. A second option could
> be HTTP Digest Authentication, but browser support for that is flackey
> to say the least. You can try digest auth, it''s in Apache and
probably
> in other webservers.
>
> > If not, will I have to go the https way with apache, or is there a
> > ruby http server that can do that?
>
> WEBRick can do SSL, see http://www.webrick.org/
>
> Manfred
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/camping-list/attachments/20080222/d4c07759/attachment.html

On Fri, Feb 22, 2008 at 07:39:59PM +0100, Manfred Stienstra
wrote:
> On Feb 22, 2008, at 7:28 PM, Albert Ng wrote:
> 
> > looking at the blog.rb example, I see a very nice example of  
> > authentication, but the username/password is transmitted in clear  
> > text form
> >
> > My question then is, Is there an easy way of "encrypting"
that
> > information?
> 
> Well, the easiest way is to do logins over SSL. A second option could  
> be HTTP Digest Authentication, but browser support for that is flackey  
> to say the least. 
I''ve been using Digest myself, can''t say I''ve run
into any
problems with browser support. Browser UI for it isn''t great, of
course.

I''ve attached a module for doing digest auth with Camping. It uses the
httpauth gem.

Use it something like this:

  Camping.goes :Foo

  module Foo
    include Camping::DigestAuth

    REALM = "foo"

    module_function

    def password_for_user(username)
      # returns the correct password for user "username"
      # or nil if the user doesn''t exist
    end
  end

At the beginning of every controller method you want to be
authenticated, call the ''authenticate'' method.
-------------- next part --------------
require "httpauth"

module Camping
  module DigestAuth
    include HTTPAuth::Digest

    class Unauthorized < RuntimeError; end

    # call this at the start of methods that require authentication
    def authenticate
      raise Unauthorized unless @user
    end

    def service(*a)
      app = Kernel.const_get(self.class.name.gsub(/^(\w+)::.+$/,
''\1''))
      auth_h = @env["HTTP_AUTHORIZATION"]

      begin
        if auth_h
          credentials = Credentials.from_header(auth_h)
          user = credentials.h[:username]

          begin
            pass = app.password_for_user(user)
          rescue NameError
            raise "define #password_for_user on your app module"
          end

          if pass and
              credentials.validate(:password => pass, :method =>
@method.upcase)
            @user = user

            auth_info = AuthenticationInfo.from_credentials credentials
            @headers["Authentication-Info"] = auth_info.to_header
          end
        end
      rescue HTTPAuth::UnwellformedHeader
        # they probably sent eg. a Basic Authenticate header
        # just ignore it instead of exploding
      end

      super(*a)
    rescue Unauthorized
      @status = 401
      challenge = Challenge.new :realm => app::REALM, :qop =>
["auth"]
      @headers["WWW-Authenticate"] = challenge.to_header

      @body = authentication_failed

      self
    end

    # override this for a nicer error message
    def authentication_failed
      @headers["Content-Type"] = "text/plain"

      "you are not authorized."
    end
  end
end
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://rubyforge.org/pipermail/camping-list/attachments/20080223/84820d85/attachment.bin

Thank you Mr. Taylor, Mr. Stienstra

It feels so great to be on the cutting edge of 1999''s web encryption
and
authorization!

Mr Taylor, I have used your module for digest authorization and was
wondering if you could answer a couple of questions:
What does module_function do without calling a :symbol?
How is the ?service? function called when I''m calling ?authenticate?,
which
only function is to raise if a condition is not met?

Mr. Stienstra, I have looked into using SSL with WEBrick.  Thank you very
much, it is exactly what I was looking for.

On Sat, Feb 23, 2008 at 2:10 PM, Brendan Taylor <whateley at gmail.com>
wrote:
> On Fri, Feb 22, 2008 at 07:39:59PM +0100, Manfred Stienstra wrote:
> > On Feb 22, 2008, at 7:28 PM, Albert Ng wrote:
> >
> > > looking at the blog.rb example, I see a very nice example of
> > > authentication, but the username/password is transmitted in clear
> > > text form
> > >
> > > My question then is, Is there an easy way of
"encrypting" that
> > > information?
> >
> > Well, the easiest way is to do logins over SSL. A second option could
> > be HTTP Digest Authentication, but browser support for that is flackey
> > to say the least.
>
> I''ve been using Digest myself, can''t say I''ve
run into any
> problems with browser support. Browser UI for it isn''t great, of
> course.
>
...
> At the beginning of every controller method you want to be
> authenticated, call the ''authenticate'' method.

attached is my current progress.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/camping-list/attachments/20080223/711f300a/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ctd.rb
Type: application/octet-stream
Size: 4869 bytes
Desc: not available
Url :
http://rubyforge.org/pipermail/camping-list/attachments/20080223/711f300a/attachment.obj

On Sat, Feb 23, 2008 at 11:32:32PM -0400, Albert Ng
wrote:
> Mr Taylor, I have used your module for digest authorization and was
> wondering if you could answer a couple of questions:
> What does module_function do without calling a :symbol?
<http://www.ruby-doc.org/core/classes/Module.html#M001665>:
"If used with no arguments, subsequently defined methods become module
functions."
> How is the ?service? function called when I''m calling
?authenticate?, which
> only function is to raise if a condition is not met?
Mixin inheritance stuff.
<http://code.whytheluckystiff.net/camping/wiki/BeforeAndAfterOverrides>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://rubyforge.org/pipermail/camping-list/attachments/20080224/7ffe4871/attachment.bin

On Feb 23, 2008, at 7:10 PM, Brendan Taylor wrote:
> I''ve attached a module for doing digest auth with Camping. It uses
the
> httpauth gem.
You have to take care when using httpauth because it doesn''t do any  
internal validation of the digest authorization request, so I think it  
might be vulnerable to replay attacks or something.

Manfred

I''ll keep that in mind.

As an aside, using this gem, how would I go about changing the user without
closing the browser or raising ?Unauthorized??  That last pops up a log-in
window that can''t authorize (have to press escape).



On Mon, Feb 25, 2008 at 6:22 AM, Manfred Stienstra <manfred at gmail.com>
wrote:
>
> On Feb 23, 2008, at 7:10 PM, Brendan Taylor wrote:
>
> > I''ve attached a module for doing digest auth with Camping. It
uses the
> > httpauth gem.
>
> You have to take care when using httpauth because it doesn''t do
any
> internal validation of the digest authorization request, so I think it
> might be vulnerable to replay attacks or something.
>
> Manfred
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/camping-list/attachments/20080225/02b604eb/attachment.html

On Feb 25, 2008, at 2:21 PM, Albert Ng wrote:
> I''ll keep that in mind.
>
> As an aside, using this gem, how would I go about changing the user  
> without closing the browser or raising ?Unauthorized??  That last  
> pops up a log-in window that can''t authorize (have to press
escape).
You can''t. Browsers really really really should include a logout  
button, and they don''t. File bugs with me!

On Mon, Feb 25, 2008 at 6:24 PM, Aria Stewart <aredridel at nbtsc.org>
wrote:
>
> On Feb 25, 2008, at 2:21 PM, Albert Ng wrote:
>
> > I''ll keep that in mind.
> >
> > As an aside, using this gem, how would I go about changing the user
> > without closing the browser or raising ?Unauthorized??  That last
> > pops up a log-in window that can''t authorize (have to press
escape).
>
> You can''t. Browsers really really really should include a logout
> button, and they don''t. File bugs with me!
>
:)

After cursing at @state, wondering why it wasn''t saving before I ?raise
Unauthorized? (for 3 hours *rolleyes*) , I''ve finally gotten the
expected
behavior by creating a ?Loginstate? table that belongs to ?User?, calling
save explicitly, and working some logic with that.

It''s horribly expensive on the database, but it''s ok for my
purposes,
because the app is only accessible locally.

Another thing is that I changed password_for_user to record_for_user, as
I''m
using @user for an AR record, and the gem kept turning it into a string :P

P.S. http://code.whytheluckystiff.net/camping/ticket/129 is very annoying,
they changed mongrel/camping again (for the worse)

Module Ctd:Models
  class Loginstate < Base
    belongs_to :users
  end

  ---

      create_table :ctd_loginstates do |t|
        t.column :user_id, :integer, :null => false
        t.column :reauthenticate, :boolean, :default => false
      end
      user.create_loginstate

---
Module Ctd:Controlers
  class CloseSession
    def get
      authenticate
      @user.loginstate.reauthenticate = true
      @user.loginstate.save
      redirect R(Index)
    end
  end
---
module Ctd
  include Camping::DigestAuth
  REALM = "ctd"

  module_function

  def record_for_user(username)
    include Ctd::Models
    user = User.find( :first, :conditions => [''username =
?'', username])
    user = User.find( :first, :conditions => [''username =
?'', ''dummy''])
unless user
    if user.loginstate.reauthenticate == true
      user.loginstate.reauthenticate = false
      user.loginstate.save
      raise Unauthorized
    end if user
    return user
  end
end
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/camping-list/attachments/20080225/9a9ca62c/attachment.html

2008/2/25, Albert Ng <twinwing at gmail.com>:
> I''ll keep that in mind.
>
> As an aside, using this gem, how would I go about changing the user without
> closing the browser or raising ?Unauthorized??  That last pops up a log-in
> window that can''t authorize (have to press escape).
There is no perfect solution. Here is what I use in jQuery :

// idea from : http://nanodocumet.homedns.org/rest/
  $(''#header A.disconnect'').click(function() {
    try {
      if ($.browser.msie) {
        // IE clear HTTP Authentication
        document.execCommand("ClearAuthenticationCache");
      } else {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "/logout", true, "logout",
"logout");
        xhr.send(null);
        xhr.abort();
      }
    } catch(e) { error(e) }
  })


---------

* the /logout url should respond "Unauthorized" for the logout:logout
credential
* the xhr.open is called with async to true, otherwise the browser
shows the login window

-- 
Cheers,
  Jonas