Using HTTP Authentication with token instead of email

[Denis Hennessy]

I'm building an app where users can log in using their browsers, and
are authenticated with email/password. I also have an API which is
authenticated using an auth_token parameter.

However the client does not like the auth_token parameter because it's
visible on GET requests and he's asked to use HTTP Authentication
instead _except_ that he wants the http auth to use the auth_token as
the username rather than the users email address. Part of the reason
for this is that the auth_token is baked into an iPhone app, which
will have to continue working even if the user changes his password.

Is this easy/possible to do?

For a better explanation of what I'm trying to achieve, it's the same
scheme as used in Highrise: http://developer.37signals.com/highrise/

Thanks,
Denis

[José Valim]

That's interesting Denis!

Which Rails/Devise version are you using?

--
José Valim

Director of Engineering - Plataforma Tecnologia
Know more about us: http://plataformatec.com.br/en/

[Denis Hennessy]

I'm using devise 1.0.1 (but don't mind switching to the latest if it would help).

/dh

[José Valim]

You just need to include both :http_authenticatable and :token_authenticatable in your class and overwrite authenticate_with_http to use authenticate_with_token:

http://github.com/plataformatec/devise/blob/v1.0/lib/devise/models/http_authenticatable.rb

[Denis Hennessy]

Thanks Jose, that worked perfectly!!

For anyone else looking at this, here's what I added to my User class:

  def self.authenticate_with_http(username, password)

    self.authenticate_with_token(:auth_token => username)

  end

/dh