Fix routes with path format not working in front of http_basic_auth

If a request was made to /my_data.xml with `Accept: */*`, and there was http basic authentication in front in the Rodauth middleware, the requested format wouldn't get selected when it came to processing the controller action. This is because rodauth-rails would infer formats from the `Accept` header as soon as it instantiated the controller (which would happen when logging the user in from Authorization header), preventing Rails from inferring the format from the URL path. We fix that by only doing this before handling Rodauth endpoints, leaving requests to Rails endpoints untouched. Fixes #272
janko · Feb 7, 2024 · 35577ad · 35577ad
1 parent 9028012
commit 35577ad
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 5 deletions.
diff --git a/lib/rodauth/rails/feature/render.rb b/lib/rodauth/rails/feature/render.rb
@@ -46,10 +46,9 @@ def rails_render(*args)
         end
 
         # Only look up template formats that the current request is accepting.
-        def _rails_controller_instance
-          controller = super
-          controller.formats = rails_request.formats.map(&:ref).compact
-          controller
+        def before_rodauth
+          super
+          rails_controller_instance.formats = rails_request.formats.map(&:ref).compact
         end
 
         # Not all Rodauth actions are Turbo-compatible (some form submissions

diff --git a/test/integration/render_test.rb b/test/integration/render_test.rb
@@ -100,4 +100,19 @@ class RenderTest < IntegrationTest
 
     assert_equal %(<turbo-stream action="append" target="login-form"><template><div id="turbo-stream">login failed</div></template></turbo-stream>), page.html
   end if defined?(::Turbo)
+
+  test "path format is preserved with basic auth" do
+    Account.create!(email: "[email protected]", password: "secret123", status: "verified")
+    page.driver.browser.basic_authorize "[email protected]", "secret123"
+
+    page.driver.browser.get "/basic_auth", {}, { "HTTP_ACCEPT" => "*/*" }
+    assert_equal "Basic Auth", page.html
+    assert_equal "text/plain; charset=utf-8", page.response_headers["Content-Type"]
+
+    page.driver.browser.get "/basic_auth.json", {}, { "HTTP_ACCEPT" => "*/*" }
+    assert_equal "{\"message\":\"Basic Auth\"}", page.html
+    assert_equal "application/json; charset=utf-8", page.response_headers["Content-Type"]
+
+    page.driver.browser.header "Authorization", nil
+  end
 end
diff --git a/test/rails_app/app/controllers/test_controller.rb b/test/rails_app/app/controllers/test_controller.rb
@@ -13,6 +13,13 @@ def auth2
     render :template
   end
 
+  def basic_auth
+    respond_to do |format|
+      format.text { render plain: "Basic Auth" }
+      format.json { render json: { message: "Basic Auth" } }
+    end
+  end
+
   def secondary
     rodauth(:admin).require_authentication
 

diff --git a/test/rails_app/app/misc/rodauth_app.rb b/test/rails_app/app/misc/rodauth_app.rb
@@ -33,5 +33,8 @@ class RodauthApp < Rodauth::Rails::App
     if r.path == rails_routes.auth1_path
       rodauth.require_account
     end
+    if r.path.start_with?(rails_routes.basic_auth_path)
+      rodauth.require_http_basic_auth
+    end
   end
 end
diff --git a/test/rails_app/app/misc/rodauth_main.rb b/test/rails_app/app/misc/rodauth_main.rb
@@ -1,7 +1,7 @@
 class RodauthMain < Rodauth::Rails::Auth
   configure do
     enable :create_account, :verify_account, :verify_account_grace_period,
-      :login, :remember, :logout, :active_sessions,
+      :login, :remember, :logout, :active_sessions, :http_basic_auth,
       :reset_password, :change_password, :change_password_notify,
       :change_login, :verify_login_change,
       :close_account, :lockout, :recovery_codes, :internal_request,

diff --git a/test/rails_app/config/routes.rb b/test/rails_app/config/routes.rb
@@ -4,6 +4,7 @@
   controller :test do
     get :auth1
     get :auth2
+    get :basic_auth
     get :secondary
     get :auth_json
     get :sign_in