HTTP Basic Authentication in Ruby on Rails with authenticate_or_request_with_http_basic

When building a web application, security is crucial. While complex authentication systems like OAuth or Devise are almost always necessary for comprehensive security, there are scenarios where simpler methods are sufficient. One such method is HTTP Basic Authentication, which can be implemented in Ruby on Rails using the authenticate_or_request_with_http_basic helper.

In this article, we’ll explore a case where HTTP Basic Authentication could be useful and see how it works.

When to Use HTTP Basic Authentication

HTTP Basic Authentication is a straightforward way to protect resources by requiring a username and password. It’s not suitable for most of the scenarios. Still, it might be good for Prototyping where simplicity is key or small internal tools that don’t have sensitive information and don’t require advanced security features.

Disclaimer: for applications that require stronger security, consider using more robust authentication solutions. Always check with a security expert before making a decision on your authentication system.

Example Use Case

Imagine we’re developing a prototype with a simple admin interface for managing a blog. This interface will be only used with our client during a demo, so a full-fledged authentication system is overkill. Instead, we decide to use HTTP Basic Authentication to quickly secure the admin routes.

Implementing HTTP Basic Authentication in Ruby on Rails

First, we need to define the authentication method in our ApplicationController or a specific controller where we want to apply the authentication.

class ApplicationController < ActionController::Base
before_action :authenticate

private

def authenticate
authenticate_or_request_with_http_basic do |username, password|
username == "admin" && password == "password"
end
end
end

In this example, the authenticate method uses authenticate_or_request_with_http_basic to check the provided username and password. Note that if the credentials don’t match “admin” and “password”, the request is denied.

Now, if we access to our app, we would see something like this:

HTTP basic authentication in Ruby on Rails

Important: never leave sensitive data in the code. For simplicity, I used ‘admin’ and ‘password’ there, but a better way would have been to store that information in the credentials.

Protect Specific Routes Only

If we only want to protect specific routes, we can move the before_action to the relevant controller:

class AdminController < ApplicationController
before_action :authenticate

def index
# Admin dashboard code here
end
end

This ensures that only the AdminController routes are protected by HTTP Basic Authentication.

Checking for our Authentication System

Start your Rails server and navigate to the protected route. Your browser should prompt you for a username and password, similar to the image from above. Enter the credentials specified in your authenticate method and you’ll gain access to the protected resource.

Conclusion

While HTTP Basic Authentication is not as secure as more complex systems, it is a quick and effective way to protect resources in scenarios where simplicity is sufficient. It’s especially useful for prototypes or internal tools that don’t have sensitive information. By leveraging authenticate_or_request_with_http_basic, you can easily implement this authentication method in your Ruby on Rails application.

Remember
For applications that require stronger security, consider using more robust authentication solutions. But for the right use case, sometimes HTTP Basic Authentication is just enough.