Saturday, February 26, 2011

Ruby on Rails Restful Authentication - How it works

This is an overview of how Restful Authentication works. Restful Authentication a Ruby on Rails plugin. You install it, and the code is in


if your directory is restful-authentication (a hyphen instead of an underscore, then you probably want to rename it to using an underscore, because as stated in the GitHub, there is an issue if it is not.

A method of major importance is


Note that it looks like a variable, but it is actually a method. It returns the current logged in user. Note that it is actually a User object, so you can use the fields in the users table in the database as you wish. So for example, if your Rails application is to add a blog post to the database, and how do you know who the author is of this blog post? It is

Another important method is logged_in? It merely returns whether current_user is equal to false or nil. (Technically, it does a !!current_user, which is to booleanize the value to true or false. In Ruby, only a false or nil will become false that way. Any other value will become true). So when you need to understand how the whole system works when it comes to logged_in?, merely think about current_user == false or nil is the comparison it does.

If you ever need to change Restful Authentication in any way, such as adding log in using OpenID, or using OmniAuth, or JanRain (log in using Facebook, Twitter, Gmail, AOL, Yahoo account, etc), or Facebook Connect, then it is important to understand how Restful Authentication works.

The most important element there is to understand that current_user checks against 3 things:

1. The user id stored in the Rails session (cookie or in DB, or in any other mechanism). This is how a page request to the next page request keep remembering who the user is, until the user closes and exit the browser, at which time the session will go away.

2. HTTP Basic Authentication. We can skip this part usually, because it uses a rare authenticated system which you see sometimes a website pops up an application window asking you for username and password, and won't show content if it is not. (it'd probably say 401 - Unauthorized)

3. If the user exits the browser (or turn off the computer and come back an hour later or 2 days later), then if the user actually checked the checkbox "Remember me" when that user logged in previously, then there is a "remember me" cookie. This cookie has a value which can be checked against the remember_me field in the users table. It they match, then the Restful Authentication will also think the user has come back and let current_user return this user. The name of this cookie usually is auth_token.

Also worth noting is that when the current_user needs to be set (if you are modifying Restful Authentication), then use self.current_user = a_user. Look into the code -- a good portion of the code is in your project after you run the Restful Authentication generator (when you or somebody who ran it long time ago):


If you Google for any more info, note that the module name is AuthenticatedSystem.

No comments:

Post a Comment