Disable HTTP Authentication by default. You can turn it on in the initializer.

2022-11-09 12:18:31 -05:00 · 2010-08-23 10:22:31 -03:00 · 2010-08-23 10:22:31 -03:00 · b8ab9a835b
commit b8ab9a835b
parent 617b95fdcd
6 changed files with 8 additions and 13 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@ -1,5 +1,6 @@
 * deprecations
  * sign_out_all_scopes defaults to true as security measure
+  * http authenticatable is disabled by default

 * enhancements
  * Added OAuth 2 support
--- a/lib/devise.rb
+++ b/lib/devise.rb
@ -70,9 +70,9 @@ module Devise

  # If http authentication is enabled by default.
  mattr_accessor :http_authenticatable
-  @@http_authenticatable = true
+  @@http_authenticatable = false

-  # If http authentication is used for ajax requests. True by default.
+  # If http headers should be returned for ajax requests. True by default.
  mattr_accessor :http_authenticatable_on_xhr
  @@http_authenticatable_on_xhr = true

--- a/lib/devise/failure_app.rb
+++ b/lib/devise/failure_app.rb
@ -27,7 +27,6 @@ module Devise
      elsif warden_options[:recall]
        recall
      else
-        debug!
        redirect
      end
    end
@ -53,11 +52,6 @@ module Devise

  protected

-    def debug!
-      return unless Rails.logger.try(:debug?)
-      Rails.logger.debug "[Devise] Could not sign in #{scope}: #{i18n_message.inspect}."
-    end
-
    def i18n_message(default = nil)
      message = warden.message || warden_options[:message] || default || :unauthenticated

@ -74,7 +68,7 @@ module Devise
    end

    def http_auth?
-      !Devise.navigational_formats.include?(request.format.to_sym) || (request.xhr? && Devise.http_authenticatable_on_xhr)
+      !Devise.navigational_formats.include?(request.format.to_sym) || (Devise.http_authenticatable_on_xhr && request.xhr?)
    end

    def http_auth_body
--- a/lib/devise/strategies/authenticatable.rb
+++ b/lib/devise/strategies/authenticatable.rb
@ -9,7 +9,7 @@ module Devise
      attr_accessor :authentication_hash, :password

      def valid?
-        valid_for_http_auth? || valid_for_params_auth?
+        valid_for_params_auth? || valid_for_http_auth?
      end

    private
--- a/lib/generators/templates/devise.rb
+++ b/lib/generators/templates/devise.rb
@ -25,10 +25,10 @@ Devise.setup do |config|
  # Tell if authentication through request.params is enabled. True by default.
  # config.params_authenticatable = true

-  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
+  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
  # config.http_authenticatable = true

-  # Set this to true to use Basic Auth for AJAX requests.  True by default.
+  # If http headers should be returned for AJAX requests. True by default.
  # config.http_authenticatable_on_xhr = true

  # The realm used in Http Basic Authentication
--- a/test/rails_app/config/initializers/devise.rb
+++ b/test/rails_app/config/initializers/devise.rb
@ -26,7 +26,7 @@ Devise.setup do |config|
  # config.params_authenticatable = true

  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
-  # config.http_authenticatable = true
+  config.http_authenticatable = true

  # The realm used in Http Basic Authentication
  # config.http_authentication_realm = "Application"