Search code examples
rubyhttpsbasic-authentication

How to do basic authentication over HTTPs in Ruby?


After looking a lot, I've found some solutions that seem working, but not for me...

For example, I have this script:

require 'net/http'
require "net/https"

@http=Net::HTTP.new('www.xxxxxxx.net', 443)
@http.use_ssl = true
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
@http.start() {|http|
    req = Net::HTTP::Get.new('/gb/PastSetupsXLS.asp?SR=31,6')
    req.basic_auth 'my_user', 'my_password'
    response = http.request(req)
    print response.body
}

When I run it, it gives me a page that requests for authentication, but if I write the following URL in the browser, I get into the website without problems:

https://my_user:[email protected]/gb/PastSetupsXLS.asp?SR=31,6

I have also tried with open-uri:

module OpenSSL
    module SSL
        remove_const :VERIFY_PEER
    end
end
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

def download(full_url, to_here)
    writeOut = open(to_here, "wb") 
    writeOut.write(open(full_url, :http_basic_authentication=>["my_user", "my_password"]).read) 
    writeOut.close 
end

download('https://www.xxxxxxx.net/gb/PastSetupsXLS.asp?SR=31,6', "target_file.html")

But the result is the same, the site is asking for user authentication. Any tips of what am I doing wrong?. Must I encode the password in Base 64?


Solution

  • I wrote a piece of code based on examples given in the Net::HTTP docs and tested it on my local WAMP server - it works fine. Here's what I have:

    require 'net/http'
    require 'openssl'
    
    uri = URI('https://localhost/')
    
    Net::HTTP.start(uri.host, uri.port,
      :use_ssl => uri.scheme == 'https', 
      :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
    
      request = Net::HTTP::Get.new uri.request_uri
      request.basic_auth 'matt', 'secret'
    
      response = http.request request # Net::HTTPResponse object
    
      puts response
      puts response.body
    end
    

    And my .htaccess file looks like this:

    AuthName "Authorization required"
    AuthUserFile c:/wamp/www/ssl/.htpasswd
    AuthType basic
    Require valid-user
    

    My .htpasswd is just a one liner generated with htpasswd -c .htpasswd matt for password "secret". When I run my code I get "200 OK" and contents of index.html. If I remove the request.basic_auth line, I get 401 error.

    UPDATE:

    As indicated by @stereoscott in the comments, the :verify_mode value I used in the example (OpenSSL::SSL::VERIFY_NONE) is not safe for production.

    All available options listed in the OpenSSL::SSL::SSLContext docs are: VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE, VERIFY_FAIL_IF_NO_PEER_CERT, out of which (according to the OpenSSL docs) only the first two ones are used in the client mode.

    So VERIFY_PEER should be used on production, which is the default btw, so you can skip it entirely.