#6 ✓resolved
Georg Ledermann

Authenticate by feed token

Reported by Georg Ledermann | November 11th, 2008 @ 04:35 PM

Do you have plans for implementing authentication by feed token? This would be very helpful to give the user simple access to a feed. Most feed readers have trouble with authentication by username/password.

For example, at github you get a feed URL like this for accessing the private news feed: https://github.com/username.priv...

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson November 11th, 2008 @ 04:38 PM

    • State changed from “new” to “open”

    So basic http auth is not doable?

    http://username:password@github.com/whatever.atom

    The password can be the crypted password.

  • Georg Ledermann

    Georg Ledermann November 11th, 2008 @ 05:49 PM

    • Tag changed from feed, tooken to feed, http_basic_authentication, tooken

    You are right, http authentication by using the username:password@ notation is supported by lots of feed readers. And using the crypted password is a good idea. Thanks!

    But I got stuck with http basic authentication in authlogic, because it did'nt work in my application. I looked in the plugin source and have found that the block starting with

       controller.authenticate_with_http_basic do |login, password|
    

    will not be executed, even if there ARE login/password given via http basic.

    Of course, the "find_with" options includes :http_auth

    After some debugging I made this change in Authlogic::ControllerAdapters::RailsAdapter

      def authenticate_with_http_basic(&block)
        controller.authenticate_or_request_with_http_basic(&block)
      end
    

    Note: authenticate_or_request_with_http_basic is used instead authenticate_with_http_basic

    Now it works. But I don't know, why. Perhaps you can check this.

  • Ben Johnson

    Ben Johnson November 11th, 2008 @ 05:55 PM

    Thanks for pointing this out. authenticate_or_request_wth_http_basic will popup a username and password dialog if the session or cookie login fails, which you don't want. When you call authenticate_with_http_basic it should check for basic auth and execute the block accordingly.

    I will run some tests and see what I can come up with, but the "or_request" method will not be user friendly on the html interface since it will keep popping up a username and password.

  • Georg Ledermann

    Georg Ledermann November 12th, 2008 @ 08:05 AM

    I have made additional checks with different feed readers (Vienna, NetNewsWire, Thunderbird, Apple Mail). It seems to me that they all don't send the request parameters (controller.request.env) indicating http authentication (HTTP_AUTHORIZATION, X-HTTP_AUTHORIZATION, X_HTTP_AUTHORIZATION or REDIRECT_X_HTTP_AUTHORIZATION) in case the "username:password@" notation is used, they do it only if the server requests it.

    So it seems to me that if the request is regarding a feed, it would be better to use "authenticate_or_request_wth_http_basic", so the Feedreader can popup a login form.

    But I'm sure you will find a better solution... ;-)

  • Ben Johnson

    Ben Johnson November 12th, 2008 @ 10:13 PM

    Even then, a manual login is annoying. I was under the assumption, if you provided the username / password the login box was unnecessary, it seems kind of redundant to do that.

    Anyways, I guess the other solution is to login by token, which really wont be hard to do. I will add that in. I'm thinking something like:

    http://whatever.com?user_credent...
    
  • Ben Johnson

    Ben Johnson November 12th, 2008 @ 10:55 PM

    • State changed from “open” to “resolved”

    This is all set. Update from the repo. This was pretty simple to implement. Checkout Authlogic::Session::Params

    I also added a configuration option to change the name of the params key. Let me know if you have any problems.

  • Georg Ledermann

    Georg Ledermann November 13th, 2008 @ 03:11 AM

    Thanks you for this work! Here are my thoughts:

    The "find_with" default order should have :params first, because if there is a token key in the URL, it should be checked BEFORE session or cookie.

    In addition, if there is a param key given but the value is wrong, authentication should fail IMHO (instead of fallback to other authenticate methods). Perhaps this would be a good idea for other authentication methods, too (e.g. if the cookie key is given but wrong, there should be no fallback to http_auth).

    Another thing: If authentication was made by token, I'm not sure if a cookie/session should be set. IMHO authentication by token is a kind of "one-time-authentication", so the next request should supply the token again.

    But these are only my crude thoughts ;-)

  • Ben Johnson

    Ben Johnson November 13th, 2008 @ 03:19 AM

    Hi Georg,

    I actually had the params first, then changed it back, because you really want the session be checked first when persisting the session. You want that to be as fast as possible. The "login" methods should be last if you are looking at it from this perspective. I viewed the login token as an alternate way to login, not really a one time authentication method.

    But I think I agree with you, I'm going to sleep on it and try to implement it tomorrow. Either way it will be simple to make that change.

    Do you have AIM or a chat service? I have some ideas for open id authentication and need someone to bounce them off of, we seem to do quite a bit of that on here. Just email me your screen name if you don't mind chatting for a minute. Thanks!

  • Ben Johnson

    Ben Johnson November 13th, 2008 @ 03:32 AM

    Also, what do you think about requiring a secure connection for this type of login? I am not a hacker so I don't know how connections are actually intercepted, but couldn't you intercept a request and obtain the cookie details, which is essentially the same thing?

  • Georg Ledermann

    Georg Ledermann November 13th, 2008 @ 04:11 AM

    • Tag changed from feed, http_basic_authentication, tooken to feed, http_basic_authentication, security, tooken

    After some thinking about it, IMHO the authentication by token MUST be a one-time authentication to avoid security problems. See this example:

    User logs into the application by giving username/password, then he goes to a page which offers a feed. The feed URL contains a token. He takes this URL and stores it in his OnlineFeedReader (Google Reader, NetVibes or something like that). Now everyone who knows this URL can put it in his browser, gets a cookie and is logged in, so he can use the whole application (!)

    I think this is very dangerous and should not be possible. Knowing the URL of the feed should be give access only to the feed, not more. Using sesure connection (https) does not help here, IMHO. I think two things are needed:

    1) Authentication by token should really NOT login the user, so no cookie should be saved 2) The feed tooken must not be identical to the remember token, because otherwise a login cookie can be constructed by knowing the feed token. Perhaps a new field "login_token" is needed in the user model

    My experience with OpenID is very low, but I'm glad to help you if I can. I will send you my Skype name by e-mail.

  • Ben Johnson

    Ben Johnson November 13th, 2008 @ 11:00 AM

    I agree, I think even better, token authentication should only be allowed for feeds period. Do you have a problem with this? Maybe I'll make a config option for request types to allow token authentication for.

    I'll have these implemented shortly.

  • Georg Ledermann

    Georg Ledermann November 13th, 2008 @ 11:32 AM

    This sounds good, I'm looking forward for your implementation.

  • Ben Johnson

    Ben Johnson November 13th, 2008 @ 11:56 AM

    I'm trying to determine why I need a separate token for this, especially if I am only allowing this token to be accepted for rss and atom requests only.

    The only reason I can think of is that the remember_token changes with the password. So if they change their password they have to re-add the feed into their reader.

    What are your thoughts on this?

  • Georg Ledermann

    Georg Ledermann November 13th, 2008 @ 12:02 PM

    IMHO, if the remember_token is used for feed authentication too, then someone who knows the token (because he knows the feed URL) can construct a valid cookie to login and use the whole application. Only if the token is separated from the feed_token, knowing the feed URL does not allow accessing other parts of the application.

    I think, using different tokens is the better way. And it's more comfortable if the password gets changed (because the feed token should not change in this situation).

  • Ben Johnson

    Ben Johnson November 13th, 2008 @ 12:06 PM

    Alright, I agree, I'll have this done shortly.

  • Ben Johnson

    Ben Johnson November 13th, 2008 @ 07:39 PM

    This is all set, I released an update. Check out the "Single Access" section in the readme. Also check out the various config options. Let me know what you think.

  • Georg Ledermann

    Georg Ledermann November 14th, 2008 @ 05:12 AM

    Wow, works great! I'm very happy with this implemention!

    One small thing: The option "change_single_access_token_with_password" can not be set in class UserSession. It seems the class method is missing there. It works only as options paremeter for "acts_as_authentic"

  • Ben Johnson

    Ben Johnson November 14th, 2008 @ 01:06 PM

    Right, because the password changes there, not in the session. There are 2 sets of configurations for Authlogic:

    1. The session
    2. The model
  • Georg Ledermann

    Georg Ledermann November 14th, 2008 @ 02:52 PM

    Ok, I understand. Thank you for clarification!

  • Ben Johnson

    Ben Johnson November 14th, 2008 @ 02:53 PM

    Yeah, i noticed the typo in the readme, I am fixing that now.

  • Ruby441

    Ruby441 December 29th, 2018 @ 12:04 AM

    Very helpful and informative. Thank for sharing this post. apkjunky

  • frank butler

    frank butler April 9th, 2019 @ 09:04 AM

    It would be a great help if someone helps me out regarding Authenticate by feed token. I have an assignment related to something like that and I don’t know anything about it to give it a start. It would be great if someone helps me out regarding this. Check their essayswriting reviews tomorrow. Any kind of help would be appreciated.

  • helixjump

    helixjump April 10th, 2019 @ 05:03 AM

    Getting a credit card can be energizing, however, you have to pick shrewdly and apply with consideration helix jump

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Pages