Module: Sentiero::Web::BasicAuthCheck

Defined in:
lib/sentiero/web/basic_auth_check.rb

Overview

Shared HTTP Basic credential checking. Constant-time comparison; assumes TLS terminated upstream.

Class Method Summary collapse

Class Method Details

.authorized?(env, creds) ⇒ Boolean

Returns:

  • (Boolean)


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# File 'lib/sentiero/web/basic_auth_check.rb', line 16

def authorized?(env, creds)
  return false if credentials_blank?(creds)

  header = env["HTTP_AUTHORIZATION"]
  return false unless header

  scheme, encoded = header.split(" ", 2)
  return false unless scheme&.downcase == "basic" && encoded

  begin
    # Strict base64 decode: "m0" raises ArgumentError on invalid input.
    decoded = encoded.unpack1("m0")
  rescue ArgumentError
    return false
  end

  user, password = decoded.split(":", 2)
  return false if user.nil? || password.nil?

  user_ok = Rack::Utils.secure_compare(user, creds[:user].to_s)
  pass_ok = Rack::Utils.secure_compare(password, creds[:password].to_s)
  user_ok && pass_ok
end

.credentials_blank?(creds) ⇒ Boolean

Returns:

  • (Boolean)


12
13
14
# File 'lib/sentiero/web/basic_auth_check.rb', line 12

def credentials_blank?(creds)
  creds[:user].to_s.empty? || creds[:password].to_s.empty?
end