kjg
commented
7 years ago Can you please help me understand the use case a little bit more. You'd like to use Basic Auth and ApiAuth concurrently in the same request?
Closed bryanalves closed 7 years ago
kjg
commented
7 years ago Can you please help me understand the use case a little bit more. You'd like to use Basic Auth and ApiAuth concurrently in the same request?
bryanalves
commented
7 years ago That's exactly right. I have a situation where we are deploying to a set of stage environments whose access is protected via BasicAuth on a reverse proxy. This requires us to use this BasicAuth in addition to our usual authentication scheme between services (HMAC), so ideally we run the HMAC auth via a different header.
mgomes
commented
7 years ago Thanks for your PR. Even though HMAC auth via HTTP isn't part of an official RFC, it's a common practice to send the HMAC hash as the Authorization header. I think it'd keep things more simple if we didn't offer this option.
Sorry.
Instead of always using the Authorization, allow the use of arbitrary headers. This is useful if you are in an environment that uses BasicAuth for other things.
Example usage in a rails project:
config/initializers/api_auth.rb
ApiAuth.header_to_assign = 'HMAC_AUTH' ApiAuth.header_to_search = %w[HMAC_AUTH HTTP_HMAC_AUTH]