Authlogic and Android, Verify user credentials

Question

I have a rails app that uses Authlogic (from gem Communityengine). Now I want users to be able to login on a mobile device (Android in that case)

If I understand correctly I can use Http Basic Authentication to authorize specified actions, but the first step (I think) is, when the user enters his username and password in his Android device, to check wether that user exists and if that passwort is correct.

How would I do this?

The password is encrypted in the database (with a pw salt) So as I understand I can not just check the database if the provided user and password is correct.

Here are some Http headers from my app as the result from different curl requests I did, I guess Http basic auth is working since I get a correct HTTP code when I provide user credentials:

martin@martin-desktop:~/Applications$ curl -I username:password@localhost:3000/users/username/posts/new
HTTP/1.1 200 OK
Date: Sun, 21 Apr 2013 12:17:29 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.19
X-UA-Compatible: IE=Edge,chrome=1
ETag: "b9aa82940f06722b7d8e35ce46e3166d"
Cache-Control: must-revalidate, private, max-age=0
X-Request-Id: 291ee45de8cb95e06ed4e8e6d3d9408c
X-Runtime: 0.335820
X-Rack-Cache: miss
Set-Cookie: _AppName_session=BAh7CkkiD3Nlc3Npb25faWQGOgZFRkkiJTA0ZDRhYmQwNDJjYmM1OGJmZTkyNzJjMTc5NThkODg0BjsAVEkiDnJldHVybl90bwY7AEZJIj1odHRwOi8vZ2l2LWR1ZXJlbi51bmktbXVlbnN0ZXIuZGUvdXNlcnMvbWFydGluL3Bvc3RzL25ldwY7AEZJIhV1c2VyX2NyZWRlbnRpYWxzBjsARkkiAYAzYWM2NTJlMjgyODA5MTY1ODg2ZTBjNTdhNGUzYjk5MzRkNWQ0YTE4MDdlN2M0MWI2OTQzYmQyNzZmOGFlMGI5NjliMjU3NzZhYTg4NjBkM2U0Y2Q5YTJjYzgwODVlNzY5NDgwMzE2MmQ3NTBjYzlhMmQ4ZTViYTJmNjJmYzVhZQY7AFRJIhh1c2VyX2NyZWRlbnRpYWxzX2lkBjsARmkGSSIQX2NzcmZfdG9rZW4GOwBGSSIxYzlIQitJNXNYZHNGa2NCb2hKcm5DY2tIcHNxdWJuWDEydVdZUU5WSlMvZz0GOwBG--2b5f5687425d7ec414e34b79eb89e0b6b465c86f; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8

martin@martin-desktop:~/Applications$ curl -I localhost:3000/users/username/posts/new
HTTP/1.1 302 Found
Date: Sun, 21 Apr 2013 12:17:40 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.19
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
X-Request-Id: 9e4b9094f99f5877c8fb79647a1a22f1
X-Runtime: 0.004657
X-Rack-Cache: miss
Set-Cookie: _AppName_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJWJhZGVlNzBjNjA0YmQ1MTgyYmI5OWMxZjcxOGIzZmZkBjsAVEkiDnJldHVybl90bwY7AEZJIj1odHRwOi8vZ2l2LWR1ZXJlbi51bmktbXVlbnN0ZXIuZGUvdXNlcnMvbWFydGluL3Bvc3RzL25ldwY7AEY%3D--32120aefd22c0748c352b016582451ede84225ca; path=/; HttpOnly
Location: localhost:3000/login
Status: 302
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8

What I also found out so far is, that the Set-Cookie uses Base64 encoding (This is the encoding for the resulting string literal from http basic auth)

Any help is appreciated!

Answer 1

Nevermind I added this method, which checks for username and password validity and writes the result in the header:

def auth
    authenticate_or_request_with_http_basic do |username, password|
      if user = User.find_by_login(username)
        response.headers['Auth'] = 'Password incorrect'
        if user.valid_password?(password)
          response.headers['Auth'] = 'Credentials correct'
        end
      else
        response.headers['Auth'] = 'Username incorrect'
        false
      end
    end
  end

In my mobile application I just send a request to username:password@mysite.com and read the http header. Not sure if this is an elegant method or if it is inteded, but it works for now.