Skip to content

Allow single_access_token via HTTP headers#784

Open
sevgibson wants to merge 13 commits intobinarylogic:masterfrom
sevgibson:allow_headers
Open

Allow single_access_token via HTTP headers#784
sevgibson wants to merge 13 commits intobinarylogic:masterfrom
sevgibson:allow_headers

Conversation

@sevgibson
Copy link

@sevgibson sevgibson commented Mar 6, 2026

Summary

  • Allows single_access_token to be supplied via HTTP request headers in addition to query params
  • Disabled by default — to enable, set a non-nil headers_key (e.g. headers_key "user_credentials")
  • Uses CGI-compliant header key transformation (HTTP_ prefix, uppercased, hyphens to underscores) to match Rack conventions

This is a continuation of #728, rebased onto current master with all prior review feedback from @jaredbeck and @tiegz addressed, including:

  • DRY extraction of shared single_access_token_enabled? and persist_by_single_access_token methods
  • Combined params/headers tests into single_access_token_test.rb
  • Default headers_key to nil (disabled by default)
  • Use controller.request.headers (request headers) instead of controller.headers (response headers)
  • CGI-compliant header key transformation

Test plan

  • All 229 existing tests pass with 0 failures
  • Verify header-based single access token authentication in a Rails app
  • Verify feature remains disabled by default when headers_key is not set

🤖 Generated with Claude Code

sevgibson and others added 13 commits March 6, 2026 14:37
@sevgibson
allow single_access_token via http headers
3a97747
@sevgibson
remove unnecessary setup
c299042
@sevgibson
DRY it up
404fa2b
@sevgibson
forgot to modify test module name
575f177
@sevgibson @jaredbeck
Use suggested Set intersect instead of array &
ca04215 
Co-authored-by: Jared Beck <jared@jaredbeck.com>
@sevgibson
add changelog entry
f21b4ce
@sevgibson @tiegz
punctuation
b50cedd 
Co-authored-by: Tieg Zaharia <tieg.zaharia@gmail.com>
@sevgibson @tiegz
test method naming clarity
d84b8c6 
Co-authored-by: Tieg Zaharia <tieg.zaharia@gmail.com>
@sevgibson
fix whitespace
24e7ab0
@sevgibson @jaredbeck
Update lib/authlogic/session/base.rb
ab04acd 
Co-authored-by: Jared Beck <jared@jaredbeck.com>
@sevgibson
default headers_key is nil
03c2c4d
@sevgibson @jaredbeck
Update lib/authlogic/session/base.rb
de7ce4e 
Co-authored-by: Jared Beck <jared@jaredbeck.com>
@sevgibson @claude
Use request.headers instead of response headers for single_access_token
4c016ec 
- Access controller.request.headers instead of controller.headers,
  which returns response headers
- Transform headers_key to CGI-compliant format (HTTP_ prefix,
  uppercased, hyphens to underscores) to match Rack convention
- Move headers hash from MockController to MockRequest
- Remove unnecessary headers delegate from AbstractAdapter

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sevgibson