X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/13aead560185c3ec580b4cae70752a3afed7bb93..8cef62cd2cec4a297e46b4f2a86c9afeadb3b283:/app/controllers/api_controller.rb diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 050c455cd..a8067a493 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -52,8 +52,13 @@ class ApiController < ApplicationController # handle authenticate pass/fail unless current_user # no auth, the user does not exist or the password was wrong - response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" - render :plain => errormessage, :status => :unauthorized + if Settings.basic_auth_support + response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" + render :plain => errormessage, :status => :unauthorized + else + render :plain => errormessage, :status => :forbidden + end + false end end @@ -75,11 +80,13 @@ class ApiController < ApplicationController report_error t("oauth.permissions.missing"), :forbidden elsif current_user head :forbidden - else + elsif Settings.basic_auth_support realm = "Web Password" errormessage = "Couldn't authenticate you" response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" render :plain => errormessage, :status => :unauthorized + else + render :plain => errormessage, :status => :forbidden end end @@ -94,12 +101,13 @@ class ApiController < ApplicationController # from the authorize method, but can be called elsewhere if authorisation # is optional. def setup_user_auth + logger.info " setup_user_auth" # try and setup using OAuth if doorkeeper_token&.accessible? self.current_user = User.find(doorkeeper_token.resource_owner_id) elsif Authenticator.new(self, [:token]).allow? # self.current_user setup by OAuth - else + elsif Settings.basic_auth_support username, passwd = auth_data # parse from headers # authenticate per-scheme self.current_user = if username.nil? @@ -109,6 +117,8 @@ class ApiController < ApplicationController else User.authenticate(:username => username, :password => passwd) # basic auth end + # log if we have authenticated using basic auth + logger.info "Authenticated as user #{current_user.id} using basic authentication" if current_user end # have we identified the user?