This week I was lucky enough to spend two days at the Merb Sprint. At the sprint I spent some time testing the install and setup process for the Merb Stack and merb_auth (the merb authentication gem). Dan Neighman (aka hassox) spent some time with me going over the merb_auth process and this is my attempt to pass the information on.
This walkthrough will take you through the steps to get a Merb app up and running with a protected resource. It assumes you are running Merb 0.9.9 or greater with the Merb Stack (merb-core, merb-more, and datamapper).
Lets start at the beginning and create an app
$ merb-gen app authentication_app
$ cd authentication_app
By default merb-gen app will create a user model for you in app/models/user.rb. The model is there, but we still need to create the table in the database and add a user to authenticate with. Lets do that now.
$ rake db:auto_migrate
To create our first user we can drop into Merb’s irb console mode with merb -i. Like Rails’ script/console, merb -i gives you access to your models and other classes.
$ merb -i
u = User.new
u.login = 'joe'
u.password = u.password_confirmation = 'password'
u.save
exit
In order to test authentication we need something to protect. Any controller would work, but lets create a resource.
$ merb-gen resource secret
We will need to add a route to the resource also
# router.rb
Merb::Router.prepare do
resources :secrets
...
end
To protect a controller with authentication we can use the before filter ensure_authenticated
# app/controllers/secrets.rb
class Secrets < Application
before :ensure_authenticated
...
end
Everything should now be setup in our app. Lets give it a run through.
First you need to start you merb server. Make sure you are in your merb app’s root directory.
$ merb
Now you can test access to your resource is denied before authentication.
http://localhost:4000/secrets
Login in and try to access the recourse again.
http://localhost:4000/login
http://localhost:4000/secrets
You should now be able to access the resource. Awesome.
Tags: Merb, merbcamp, merb_auth
i was at the camp today (saturday). i feel mixing authentication and authorization is proably a bad ida. controllers should be protected by authorization not autentication. merb-auth is a good start, but there should be a clear separation between the two if other will conribute an authorization slice.
@mario
The controller mixins are trivial and really just a convenience for people who want quick n’ cheap authentication and authorization. In fact the whole intent of merb-auth is to focus narrowly on authentication.
I contend that at it’s most basic implementation, authentication provides 1-degree of authorization (people need to be logged in to access a certain thing). But you also can’t have authorization without some degree of authentication (even if it’s storing state in a session).
The intent behind MerbAuth isn’t to completely separate authentication from authorization; it’s to separate them just enough that their implementations can vary without affecting the other.
Just wondering… what is the deal with the ?message after authentication? Is there a way to remove that or to pass it in POST. Other than that, thanks for the auth.
Is there an easy way to make the password-slice use a different layout than the default application layout?
In a previous version of merb-auth I used a configuration option to do this (Merb::Slices::config[:merb_auth][:layout] = :admin), but this doesn’t work anymore. I see that merb-auth now adds an action to the Exceptions controller (unauthenticated). In my case, this action should use the :admin layout, but the other actions in Exceptions should keep using the :application layout. Any ideas?
Hello,
I’m trying to follow this tutorial, but it seems that when I login with the correct login name and password, I get exception errors, I’m not sure if there was a change to merb-auth since this tutorial. This is using a fresh unedited resource. If i use an incorrect login and password I receive the login error messages, but when i use the correct login/password, i get the exception errors. It doesn’t appear to redirect me to the secrets page, the url remains localhost:4000/login.
@JRS
I’ll run through this tutorial again tonight with the latest Merb release and post a comment on what might need tweaking. Thanks for the heads up.
The error you get is probably: http://merb.lighthouseapp.com/projects/7433/tickets/967-wrong-constant-name-merbauthslicepasswordsessions-nameerror#ticket-967-6
it has been resolved in the 1.0 release which should be released today.
Thanks, that’s nice and straightforward. Couple of glitches with 1.0 :
1. merb -i insists you install webrat
2. it’s now rake db:automigrate (no underscore)
Nice screencast. Is possible to localize merb_auth?