Andrzej Kardaś Web Page

How to force RoR Authlogic authentication solution to handle 3 login parameters insted of standard two.

Authlogic is one the most popular authentication solutions for Ruby On Rails. It success comes from the high usability and flexibility. With it you can perform, almost any task needed to authenticate user in your Web application. Additionally, thanks to available authlogic plug-ins, you can integrate Open ID, Facebook or Twitter authentication into your site. If you are unfamiliar with using Authlogic you should, see this and this Ryan Bates screen cast or follow basic tutorial available in authlogic REDME file.

In 90% of web application you will need to provide two login information, user name or email and password. This type of authentication is available out of the box in authlogic. The project I was working on required me to have 3 login parameters. In my project I'm having many workshops, and every single workshop can have many users that can share and manipulate it's data. I would like to have a unique user name in scope of a single workshop, but between the workshops the users name can be repeated. First I thought it will hard be to achieve such goal, but when I patiently read all the API docs, the flexibility of authlogic and ruby language let me do it, in quite simple way. I will try to share my solution hoping that someone will find it useful or maybe will suggest me a better way to solve this problem.

I'm assuming that if you are reading this you know how the Ruby On Rails framework works, and you can read and understand the ruby source code. I will not try to explain every single line of code that you will find here. I will focus on explaining parts of the code that are important to let authlogic handle authorization using 3 login parameters.

We will start with presenting the view part of my project. Below you will find a login form partial.

<fieldset id="form">
<legend>Submit login information</legend>
<% form_remote_for @user_session, 
	:url=>{:action=>'create'},
    :html=>{ :autocomplete => :off },
    :before => "Element.show('loging-indicator')", 
    :success => "Element.hide('loging-indicator')" do |f| %>
  <%= f.error_messages %>
  <p>
  	<%= f.label :workshop_unique, "Workshop id:" %><br />
	<%= f.text_field :workshop_unique, :value => @workshop, :size => 30 %> <br />	
  	<%= check_box_tag :remember_workshop,  1, checked = false %>
	<%= label_tag :remember_workshop, "Remeber workshop id" %>
  </p>
  <p>
    <%= f.label :username, "User name: " %><br />
    <%= f.text_field :username, :value => @username %> <br />
	<%= check_box_tag :remember_username,  1, checked = false %>
	<%= label_tag :remember_username, "Remember user name" %>
  </p>
  <p>
    <%= f.label :password, "Password:" %><br />
    <%= f.password_field :password %>
  </p>
  <p><%= f.submit "Zaloguj" %></p>
<% end %>
</fieldset>
<div id="loging-indicator" style="display:none;">
<span>Data manipulation in progress:<br />
	<%= image_tag("processingbar.gif",
              :align => "absmiddle",
              :border => 0) %>
</span>
</div>

Here we are constructing an Ajax based login form, using a form_remote_for helper method which operates on @user_session object. This object is typical implementation of Authlogic api, what is not typical here is that we have 3 login fields. The user will have to provide his workshop ID, his user name and his password to log in to the system. You will also find check boxes which are letting user remember his login information, but this is out of the scope of this article.

Now let us take a look on controller code which will handle all the data manipulation between the view and the model, during log in and log off faze.

class UserSessionsController < ApplicationController
 
  # access control:
  # logged in users can destroy session (and be logged out)
  # anonymous users can create new session (login in to system) 
  access_control :debug => true do
    allow logged_in, :to => [:destroy]
    allow anonymous, :to => [:new, :create]
  end
 
  def new
    @user_session = UserSession.new
    @workshop = cookies[:workshop]
    @username = cookies[:username]
  end
 
  def create
    if params[:remember_workshop]=="1"
      if cookies[:workshop] != nil
        cookies.delete :workshop
      end
      cookies[:workshop] = {:value=> params[:user_session][:workshop_unique], 
:expires => 1.year.from_now}
    end
    if params[:remember_username]=="1"
      if cookies[:username] != nil
        cookies.delete :username
      end
      cookies[:username] = {:value=> params[:user_session][:username], 
:expires => 1.year.from_now}
    end
    login = {:workshop_unique => params[:user_session][:workshop_unique],:username => params[:user_session][:username]}
    @user_session = UserSession.new(:username=>login,:password=>params[:user_session][:password])
    if @user_session.save
        flash[:notice] = "Login succsessfull."
        respond_to do |format|
          format.html { redirect_to root_url }
          format.js {  
          render :update do |page|
            page.redirect_to root_url
          end  
          }
        end
    else
      unless cookies[:workshop].nil?
        @workshop = cookies[:workshop]
      else
        @workshop = params[:user_session][:workshop_unique]
      end
      unless cookies[:username].nil?
        @username = cookies[:username]
      else
        @username = params[:user_session][:username]
      end
      respond_to do |format|
        format.html { render :action => 'new'}
        format.js {  
        render :update do |page| 
          page.replace_html :login, :partial => 'login_form'
          page.visual_effect(:shake,:login,:duration => 1)
        end
        }
      end
    end
  end
 
  def destroy
    @user_session = UserSession.find
    @user_session.destroy
    flash[:notice] = "Log off succsesfull."
    current_user = nil
    redirect_to :controller => 'szws', :action => 'goodbye'
  end
 
end

Creating user session controller, is typical approach when using authlogic API. This controller will take care of logging in and off our user. At the top of the source code you will find a small portion of code that is out of the scope of this article, this part is typical for acl9 authorization solution I use in this application. What is important here are our methods. New which is used to display a fresh new login form to user, create which takes care of logging in or rejecting logging in if user provided wrong credentials. The third method destroy is used to log of our user. If you take a look at new and destroy methods there is nothing special here. In destroy we are finding the @user_session object of the currently logged in user and destroying his session, it's straight forward the authlogic API in use.

What is the most important here is our create method. First part is cookie handling, we will skip this part, and look at lines below it. Here you will find a @user_session object creation. Normally we would construct an object, passing to it two parameters, taken from request parameters. We would do it in 90% of cases but here you can find the trick i did, to make my 3 parameter login work. As constructor of session object can accept only username and password parameters. Authloghic is passing only those two parameters to model which is handling all authorization process. What we can do here is first we will construct an associative array which will store both our workshop unique and username then we will assign it to login object. Then we will pass this login object as username, in our UserSession.new constructor.

That is all I did to make 3 parameters login work at controller level. Of course thats not all the job we have to do to make authlogic properly verified our 3 parameters login. The last part is our model. We will have to look at two models, first is user_session model second is user model. Lets start with user_session model.

class UserSession < Authlogic::Session::Base
  find_by_login_method :find_user_in_workshop
  #Make sure the right messege is being displayed to user if he provides incorrect login information
  generalize_credentials_error_messages "You provided wrong login information, please try again"
 
  @workshop_unique
 
  def workshop_unique
    @workshop_unique
  end
 
  def worksop_unique=(value)
    @workshop_unique=value
  end
 
end

As you can see the UserSession class derives from Authlogic::Session::Base, another typical thing for authlogic API. At the top of this source file you will find the most important thing. By defining find_by_login_method, you can override standard method of finding user in our system. As author wrote in API docs: "sky is the limit here", and he is right. We will look at our find_user_in_workshop method in user model source file. Below you can find a definition for error message that will be displayed to our user in case of providing wrong credentials. The last thing in the user_session model is definition of @workshop_unique instance variable. I added this to be able to use it in my view form_remote_for helper method. Look at the view source code. Now let's take a look at user model.

class User < ActiveRecord::Base
  #This is authentication subject
  acts_as_authentic do |c|
     c.validate_email_field = false
     c.validate_login_field = true
     #make sure that one workshop wont be able to have two users of the same name
     c.validations_scope = :workshop_id
     c.logged_in_timeout=30.minutes;
     c.maintain_sessions=false
     c.ignore_blank_passwords=false
  end
 
  belongs_to :workshop
 
  def self.find_user_in_workshop(login)
    workshop_unique=login[:workshop_unique]
    username = login[:username]
    workshop = Workshop.find_by_workshop_unique(workshop_unique)
    unless workshop.nil?
      find_by_username_and_workshop_id(username,workshop.id)
    else
      return nil
    end
  end
 
end

What you can see at the top of this source file, is authentication subject configuration. We are setting up validation of our login field and ignoring validation of email field. Next we are making sure that our user login will be unique in scope of our workshop. We are setting up session timeout. As you can see I'm also preventing session maintain because in my system one user can create account for another. I don't want to automatically re log user to new account after account creation. And the last thing is disabling ignore blank password option.

The second thing is typical relationship configuration as we know every user can belong to one workshop.

The last but not least thing : find_user_in_workshop method definition. This method is taking our login parameter, which is an associative array containing workshop_unique and username, taken from our login form. What we are doing here is first we are trying to find workshop by it's unique id. If this is successful, we are finding user using both username and workshop.id. And thats it, this is solution that is working quite well in system I'm building.

Sources:

• Authlogic GitHub Source Site
• Authlogic Core API docs
• Ryan Bates Authlogic Screencast