Bummer! This is just a preview. You need to be signed in with a Treehouse account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Basic Authentication: Part 2

2:52 with Naomi Freeman

In this video, we'll continue to build out the HTTP Basic authentication method for our base API controller.

Code Samples

We can modify our authenticate method to use actual authentication logic and not hard code it:

def authenticate
  authenticate_or_request_with_http_basic do |email, password|
    Rails.logger.info "API authentication:#{email} #{password}"
    user = User.find_by(email: email)
    if user && user.authenticate(password)
      Rails.logger.info "Logging in #{user.inspect}"
      true
    else
      Rails.logger.warn "No valid credentials."
      false
    end
  end
end
  • 0:01

    Now that we have our authentication filter set up and

  • 0:03

    we know it's working, we can implement the code to actually authenticate a user.

  • 0:08

    Let's look at the user sessions controller to see how authentication is currently

  • 0:12

    handled in the app.

  • 0:15

    It looks like we find the user based on email address.

  • 0:20

    If the user exists, we attempt to authenticate the method,

  • 0:24

    which will return true or false.

  • 0:27

    We can reuse this logic in our API authenticate method, so

  • 0:31

    let's go back to the API controller inside our authenticate method.

  • 0:36

    And first, let's change the arguments to the authenticate or

  • 0:39

    request with HTTP basic to reflect what's actually going in from user to email.

  • 0:49

    And we're going to delete this line.

  • 0:53

    Now, for debugging purposes, let's write to the RAILS log so

  • 0:57

    we can review if something goes wrong.

  • 1:00

    [BLANK_AUDIO]

  • 1:10

    Now, let's find the user by the email address.

  • 1:19

    Then, we can reuse the other session creation logic that we just saw in

  • 1:22

    the user sessions controller.

  • 1:26

    If there's a user, and the user is authenticated.

  • 1:34

    For now, let's just write a log message that we're logging in the user.

  • 1:36

    [BLANK_AUDIO]

  • 1:46

    And we need to return true from the authenticator request with HTTP

  • 1:50

    basic block.

  • 1:51

    We don't use the return keyword because we're inside of a block,

  • 1:54

    and we would get very strange behavior.

  • 1:56

    Instead, we'll use the implicit version, which is just true.

  • 2:00

    If no user is found, we'll write another log method saying that credentials weren't

  • 2:05

    valid and implicitly returned false.

  • 2:07

    [BLANK_AUDIO]

  • 2:17

    Let's go ahead and try this in CURL and see what happens.

  • 2:20

    [BLANK_AUDIO]

  • 2:24

    And you'll see that we have access to all of the information that we did before.

  • 2:28

    Okay so that worked, it's returning other people's ToDoList in addition to mine but

  • 2:32

    we'll fix that soon.

  • 2:33

    Now let's see what happens if I don't give the right password.

  • 2:39

    So our access has been denied.

  • 2:41

    If we go over to our server, you'll see that we do not have valid credentials.

  • 2:46

    Nice work.

  • 2:47

    In our next video, we'll clean this up a bit more and scope our queries.

You need to sign up for Treehouse in order to download course files.

Sign up