Fixed that HTTP authentication should work if the header is called REDIRECT_X_HTTP_AUTHORIZATION as well (closes #6754) [mislaw]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7091 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

actionpack/CHANGELOG

@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed that HTTP authentication should work if the header is called REDIRECT_X_HTTP_AUTHORIZATION as well #6754 [mislaw]
+
 * Don't mistakenly interpret the request uri as the query string.  #8731 [lifofifo, Jeremy Kemper]
 
 * Make ActionView#view_paths an attr_accessor for real this time.  Also, don't perform an unnecessary #compact on the @view_paths array in #initialize.  Closes #8582 [dasil003, julik, rick]

actionpack/lib/action_controller/http_authentication.rb

@@ -68,6 +68,13 @@ module ActionController
     # 
     #     assert_equal 200, status
     #   end
+    #  
+    #  
+    # On shared hosts, Apache sometimes doesn't pass authentication headers to
+    # FCGI instances. If your environment matches this description and you cannot
+    # authenticate, try this rule in public/.htaccess (replace the plain one):
+    # 
+    #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Basic
       extend self
 
@@ -100,11 +107,12 @@ module ActionController
       def authorization(request)
         request.env['HTTP_AUTHORIZATION']   ||
         request.env['X-HTTP_AUTHORIZATION'] ||
-        request.env['X_HTTP_AUTHORIZATION']
+        request.env['X_HTTP_AUTHORIZATION'] ||
+        request.env['REDIRECT_X_HTTP_AUTHORIZATION']
       end
     
       def decode_credentials(request)
-        Base64.decode64(authorization(request).split.last)
+        Base64.decode64(authorization(request).split.last || '')
       end
 
       def encode_credentials(user_name, password)

actionpack/test/controller/http_authentication_test.rb

@@ -3,35 +3,42 @@ require File.dirname(__FILE__) + '/../abstract_unit'
 class HttpBasicAuthenticationTest < Test::Unit::TestCase
   include ActionController::HttpAuthentication::Basic
   
-  def setup
+  class DummyController
-    @controller = Class.new do
+    attr_accessor :headers, :renders, :request
-      attr_accessor :headers, :renders
     
     def initialize
       @headers, @renders = {}, []
-      end
+      @request = ActionController::TestRequest.new
-      
-      def request
-        Class.new do
-          def env
-            { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") }
-          end
-        end.new
     end
     
     def render(options)
       self.renders << options
     end
-    end.new
+  end
+
+  def setup
+    @controller  = DummyController.new
+    @credentials = ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret")
   end
 
   def test_successful_authentication
-    assert authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret" }
+    login = Proc.new { |user_name, password| user_name == "dhh" && password == "secret" }
+    set_headers
+    assert authenticate(@controller, &login)
+
+    set_headers ''
+    assert_nothing_raised do
+      assert !authenticate(@controller, &login)
     end
 
+    set_headers nil
+    set_headers @credentials, 'REDIRECT_X_HTTP_AUTHORIZATION'
+    assert authenticate(@controller, &login)
+  end
 
   def test_failing_authentication
-    assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret!!" }
+    set_headers
+    assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "incorrect" }
   end
   
   def test_authentication_request
@@ -39,4 +46,9 @@ class HttpBasicAuthenticationTest < Test::Unit::TestCase
     assert_equal 'Basic realm="Megaglobalapp"', @controller.headers["WWW-Authenticate"]
     assert_equal :unauthorized, @controller.renders.first[:status]
   end
+
+  private
+    def set_headers(value = @credentials, name = 'HTTP_AUTHORIZATION')
+      @controller.request.env[name] = value
+    end
 end