HTTP Basic Auth for Mysql password and old_password in Rails

Posted by Edmund Haselwanter on Monday, November 02, 2009

I recently had to develop a small application for a client. The goal was to add a feature to grown Java web application.

As the software was maintained for several years there are users with old an new MySql passwords in the system.

To authenticate the user I have chosen authenticate_or_request_with_http_basic

As I just needed handful of actions all of them go in one controller:

   1  class MyController < ApplicationController
   2  
   3    before_filter :authenticate
   4  
   5    def index
   6     # [ ... ]
   7    end
   8  
   9    protected
  10  
  11    def authenticate
  12      authenticate_or_request_with_http_basic do |id, password|
  13        @user = User.find_by_name(id)
  14        login_ok = @user.authenticate(password)
  15        login_ok
  16      end
  17    end
  18  
  19  end

To check if the user can be authenticated:

   1  class User < ActiveRecord::Base
   2  
   3    def authenticate(password)
   4      user = User.find_by_sql(["select * from user where user_pass=password('%s') \
   5                                OR user_pass=old_password('%s')",password,password])
   6      (user.length > 0)?true:false
   7    end
   8  
   9  
  10  end
  11

Its a very simple approach.

What do you think?