Most web applications have some sort of admin area where users shouldn’t be. Passwording it is the obvious solution, but it isn’t obvious how to implement passwords in Sinatra. I stole this code from Ryan Tomayko’s Wink blog, and extracted it into a more generic module for reuse. Two parts are involved, the module, which I put into a separate file, and include. And then the code itself to pull it into the helpers and use it in the event handlers.

The module:

module Sinatra
  module Authorization

  def auth
    @auth ||= Rack::Auth::Basic::Request.new(request.env)
  end

  def unauthorized!(realm="myApp.com")
    header 'WWW-Authenticate' => %(Basic realm="#{realm}")
    throw :halt, [ 401, 'Authorization Required' ]
  end

  def bad_request!
    throw :halt, [ 400, 'Bad Request' ]
  end

  def authorized?
    request.env['REMOTE_USER']
  end

  def authorize(username, password)
    # Insert your logic here to determine if username/password is good
    false
  end

  def require_administrative_privileges
    return if authorized?
    unauthorized! unless auth.provided?
    bad_request! unless auth.basic?
    unauthorized! unless authorize(*auth.credentials)
    request.env['REMOTE_USER'] = auth.username
  end

  def admin?
    authorized?
  end

  end
end

To use the module:

require 'authorization'

helpers do
  include Sinatra::Authorization
end

get '/admin' do
  require_administrative_privileges
  # Do private stuff
end

EDIT: Thanks to foca on #sinatra for the nicer setup of authorize

License: Because this was extracted out of Wink, follow the Wink license (found here).

This entry was posted on Thursday, July 17th, 2008 at 9:30 pm and is filed under Programming, Ruby, Sinatra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.