hannes.tyden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2007-Jun-25 16:52 UTC
ActiveResource authorization
Hi all! I have been using AR to access a restful API. Users are authorized over http to get information that is restricted. Everything has been working until I realized that the request to the API must be a valid URL. This means that users with username:password that contains characters that will create an invalid URL cannot access their information. Has anyone run into this problem and found a solution? I guess sending the login info in the request header means that I can stay with allowing all types of characters in usernames and passwords. But then I will have to make changes to ActiveResource which I am not completely comfortable with. Thanks, Hannes --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Yes, I have. I think it limits adoption of ActiveResource because one common REST implementation style would be e-mail address as username, which is easy to handle in HTTP Basic, but not when it is included in the URL, since the ''@'' automatically invalidates it as a URL. You could probably URL encode the invalid characters before slipping them into the URL, but AR then would mess up the HTTP Basic request header it also adds, including the unnecessary encoding. I think what would be sensible would be a class method on ActiveResource::Base like the site method that allows you to set the HTTP Basic request header directly, bypassing the inclusion in the URL. That way, AR would work with a lot more APIs. On Jun 25, 9:52 am, "hannes.ty...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org" <hannes.ty...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi all! > > I have been using AR to access a restful API. Users are authorized > over http to get information that is restricted. Everything has been > working until I realized that the request to the API must be a valid > URL. This means that users with username:password that contains > characters that will create an invalid URL cannot access their > information. > > Has anyone run into this problem and found a solution? > > I guess sending the login info in the request header means that I can > stay with allowing all types of characters in usernames and passwords. > But then I will have to make changes toActiveResourcewhich I am not > completely comfortable with. > > Thanks, > Hannes--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
What''s more, the AR source makes this difficult to patch, since the various classes only pass around a URI object as the sole piece of configuration. That way, no way to express request headers that are a standard contraption in lots of REST APIs. On Jun 26, 8:03 pm, ara_vartanian <ara.vartan...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Yes, I have. > > I think it limits adoption ofActiveResourcebecause one common REST > implementation style would be e-mail address as username, which is > easy to handle in HTTP Basic, but not when it is included in the URL, > since the ''@'' automatically invalidates it as a URL. > > You could probably URL encode the invalid characters before slipping > them into the URL, but AR then would mess up the HTTP Basic request > header it also adds, including the unnecessary encoding. > > I think what would be sensible would be a class method onActiveResource::Base like the site method that allows you to set the > HTTP Basic request header directly, bypassing the inclusion in the > URL. That way, AR would work with a lot more APIs. > > On Jun 25, 9:52 am, "hannes.ty...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org" <hannes.ty...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: > > > Hi all! > > > I have been using AR to access a restful API. Users are authorized > > over http to get information that is restricted. Everything has been > > working until I realized that the request to the API must be a valid > > URL. This means that users with username:password that contains > > characters that will create an invalid URL cannot access their > > information. > > > Has anyone run into this problem and found a solution? > > > I guess sending the login info in the request header means that I can > > stay with allowing all types of characters in usernames and passwords. > > But then I will have to make changes toActiveResourcewhich I am not > > completely comfortable with. > > > Thanks, > > Hannes--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---