在authenticate_or_request_with_http_digest中获取密码
我有一个连接到 iPhone 应用程序的应用程序,该应用程序又通过 http_digest 对其用户进行身份验证。
我正在使用 authlogic,在我的架构中,网站的用户是“用户”,手机应用程序的用户是“人”。所以,我有 user_sessions 和 people_sessions。为了处理 http_digest 身份验证,我使用像这样的authenticate_or_request_with_http_digest方法:
def digest_authenticate_person
authenticate_or_request_with_http_digest do |email, password|
#ldb is just a logging method i have
ldb "email = #{email.inspect}, password = #{password.inspect}"
person = Person.find_by_email(email)
if person
ldb "Authentication successful: Got person with id #{person.id}"
@current_person_session = PersonSession.create(person)
else
ldb "Authentication failed"
@current_person_session = nil
end
return @current_person_session
end
end
我可以在日志中看到密码为零:只有电子邮件传递到authenticate_or_request_with_http_digest块的内部。
我用这样的curl调用来测试这个:
curl --digest --user [email protected]:apass "http://localhost:3000/reports.xml"
我希望“[email protected]< /a>" 和 "apass" 传递到内部块。一旦我有了密码,我就可以以正常方式使用电子邮件和密码的组合来查找(或不查找)用户。有谁知道我如何才能访问密码?
感谢任何建议 - 最大
编辑 - 在进一步谷歌搜索时,我认为我使用了错误的方法:我应该只返回密码或加密密码。但是我如何将其与作为 http_digest 用户名一部分传递的密码进行比较?
I have an app which connects to an iphone app, which in turn authenticates it's users via http_digest.
I'm using authlogic, and in my schema users of the website are "users" and users of the phone app are "people". So, i have user_sessions and people_sessions. To handle the http_digest auth, i'm using the authenticate_or_request_with_http_digest method like this:
def digest_authenticate_person
authenticate_or_request_with_http_digest do |email, password|
#ldb is just a logging method i have
ldb "email = #{email.inspect}, password = #{password.inspect}"
person = Person.find_by_email(email)
if person
ldb "Authentication successful: Got person with id #{person.id}"
@current_person_session = PersonSession.create(person)
else
ldb "Authentication failed"
@current_person_session = nil
end
return @current_person_session
end
end
I can see in the logs that password is nil: only email is passed through to the inside of the authenticate_or_request_with_http_digest block.
Im testing this with a curl call like so:
curl --digest --user [email protected]:apass "http://localhost:3000/reports.xml"
I'd expect "[email protected]" and "apass" to get passed through to the inside of the block. Once i have the password then i can use a combination of email and password to find (or not) a user, in the normal way. Does anyone know how i can get access to the password as well?
grateful for any advice - max
EDIT - on further googling, i think i'm using this method wrong: i'm supposed to just return the password, or the crypted password. But then how do i compare that against the password passed as part of the http_digest username?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
找到答案:我对authenticate_or_request_with_http_digest的工作原理有一个根本性的误解:阅读文档(在gem的源代码中)后,我意识到这个方法的目的不是进行身份验证,它的目的是向浏览器提供“email:realm:password”字符串,让浏览器对其进行加密,并根据其自己计算(或缓存)的版本检查结果。
我的设置方法如下:
Found the answer: i had a fundamental misunderstanding of how authenticate_or_request_with_http_digest works: after reading the documentation (in the source code of the gem) i realised that the purpose of this method is not to do the authentication, its purpose is to provide the "email:realm:password" string to the browser, let the browser encrypt it, and check the result against it's own calculated (or cached) version of this.
Here's how i set it up: