From b8ab9a835b26fd0cb913b62c0c289e45d9b379ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Valim?= Date: Mon, 23 Aug 2010 10:22:31 -0300 Subject: [PATCH] Disable HTTP Authentication by default. You can turn it on in the initializer. --- CHANGELOG.rdoc | 1 + lib/devise.rb | 4 ++-- lib/devise/failure_app.rb | 8 +------- lib/devise/strategies/authenticatable.rb | 2 +- lib/generators/templates/devise.rb | 4 ++-- test/rails_app/config/initializers/devise.rb | 2 +- 6 files changed, 8 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc index 15ee05d5..1e02984a 100644 --- a/CHANGELOG.rdoc +++ b/CHANGELOG.rdoc @@ -1,5 +1,6 @@ * deprecations * sign_out_all_scopes defaults to true as security measure + * http authenticatable is disabled by default * enhancements * Added OAuth 2 support diff --git a/lib/devise.rb b/lib/devise.rb index 2d4a3360..93c8a60c 100644 --- a/lib/devise.rb +++ b/lib/devise.rb @@ -70,9 +70,9 @@ module Devise # If http authentication is enabled by default. mattr_accessor :http_authenticatable - @@http_authenticatable = true + @@http_authenticatable = false - # If http authentication is used for ajax requests. True by default. + # If http headers should be returned for ajax requests. True by default. mattr_accessor :http_authenticatable_on_xhr @@http_authenticatable_on_xhr = true diff --git a/lib/devise/failure_app.rb b/lib/devise/failure_app.rb index ada9d295..5e95d855 100644 --- a/lib/devise/failure_app.rb +++ b/lib/devise/failure_app.rb @@ -27,7 +27,6 @@ module Devise elsif warden_options[:recall] recall else - debug! redirect end end @@ -53,11 +52,6 @@ module Devise protected - def debug! - return unless Rails.logger.try(:debug?) - Rails.logger.debug "[Devise] Could not sign in #{scope}: #{i18n_message.inspect}." - end - def i18n_message(default = nil) message = warden.message || warden_options[:message] || default || :unauthenticated @@ -74,7 +68,7 @@ module Devise end def http_auth? - !Devise.navigational_formats.include?(request.format.to_sym) || (request.xhr? && Devise.http_authenticatable_on_xhr) + !Devise.navigational_formats.include?(request.format.to_sym) || (Devise.http_authenticatable_on_xhr && request.xhr?) end def http_auth_body diff --git a/lib/devise/strategies/authenticatable.rb b/lib/devise/strategies/authenticatable.rb index 2215bba9..8f5926cb 100644 --- a/lib/devise/strategies/authenticatable.rb +++ b/lib/devise/strategies/authenticatable.rb @@ -9,7 +9,7 @@ module Devise attr_accessor :authentication_hash, :password def valid? - valid_for_http_auth? || valid_for_params_auth? + valid_for_params_auth? || valid_for_http_auth? end private diff --git a/lib/generators/templates/devise.rb b/lib/generators/templates/devise.rb index 028ebbd4..e302dce8 100644 --- a/lib/generators/templates/devise.rb +++ b/lib/generators/templates/devise.rb @@ -25,10 +25,10 @@ Devise.setup do |config| # Tell if authentication through request.params is enabled. True by default. # config.params_authenticatable = true - # Tell if authentication through HTTP Basic Auth is enabled. True by default. + # Tell if authentication through HTTP Basic Auth is enabled. False by default. # config.http_authenticatable = true - # Set this to true to use Basic Auth for AJAX requests. True by default. + # If http headers should be returned for AJAX requests. True by default. # config.http_authenticatable_on_xhr = true # The realm used in Http Basic Authentication diff --git a/test/rails_app/config/initializers/devise.rb b/test/rails_app/config/initializers/devise.rb index eea767c8..376cd080 100644 --- a/test/rails_app/config/initializers/devise.rb +++ b/test/rails_app/config/initializers/devise.rb @@ -26,7 +26,7 @@ Devise.setup do |config| # config.params_authenticatable = true # Tell if authentication through HTTP Basic Auth is enabled. True by default. - # config.http_authenticatable = true + config.http_authenticatable = true # The realm used in Http Basic Authentication # config.http_authentication_realm = "Application"