Topic: Rails & Apache mod_auth

I need to lock down my development environment but I am running into issues when I enable mod-auth for Apache. My authentication (using Janrain or rpxnow) works fine when I turn off the vhost authentication or if I launch a console server (it must bypass the configuration in my vhost file). When I enable it I cannot authenticate.

I noticed that with it on it is loading something user session related (I think) on EVERY request.

Here is my log with it turned OFF:

Processing UserSessionsController#new (for 66.41.219.200 at 2011-03-30 11:16:04) [GET]
  Parameters: {"action"=>"new", "controller"=>"user_sessions"}
Rendering template within layouts/application
Rendering user_sessions/new
Completed in 68ms (View: 7, DB: 0) | 200 OK [[url]http://dev.tgstr.com/signin[/url]]

Processing UserSessionsController#create (for 66.41.219.200 at 2011-03-30 11:16:08) [POST]
  Parameters: {"token"=>"e82e6fe0c6cccbe5a6cbe0efc46a4dea866d8430", "action"=>"create", "authenticity_token"=>"vbKj4eniKE38KlMnM6XT26ezf9BoIrh1ngvKQFmQzj0=", "controller"=>"user_sessions"}
  RPXIdentifier Load (0.3ms)   SELECT * FROM "rpx_identifiers" WHERE ("rpx_identifiers"."identifier" = '[url]http://www.facebook.com/profile.php?id=650028102[/url]') LIMIT 1
  User Load (0.3ms)   SELECT * FROM "users" WHERE ("users"."id" = 1)
  User Update (0.5ms)   UPDATE "users" SET "login_count" = 3, "updated_at" = '2011-03-30 16:16:08', "perishable_token" = 's8ZOsymJWAddwc2Gwuxu' WHERE "id" = 1
Redirected to [url]http://dev.tgstr.com:3000/account[/url]
Completed in 425ms (DB: 1) | 302 Found [[url]http://dev.tgstr.com/user_session?authenticity_token=vbKj4eniKE38KlMnM6XT26ezf9BoIrh1ngvKQFmQzj0%3D[/url]]

Here is my log with it turned ON:

Processing UserSessionsController#new (for 66.41.219.200 at 2011-03-30 11:13:54) [GET]
  Parameters: {"action"=>"new", "controller"=>"user_sessions"}
  [b]User Load (0.2ms)   SELECT * FROM "users" WHERE (LOWER("users".email) = 'batman92withrainbows') LIMIT 1[/b]
Rendering template within layouts/application
Rendering user_sessions/new
Completed in 152ms (View: 9, DB: 0) | 200 OK [[url]http://dev.tgstr.com/signin[/url]]

Processing UserSessionsController#create (for 66.41.219.200 at 2011-03-30 11:15:06) [POST]
  Parameters: {"token"=>"1aa9ac40b6f45424c00f97100eec31ed98d2552c", "action"=>"create", "authenticity_token"=>"vbKj4eniKE38KlMnM6XT26ezf9BoIrh1ngvKQFmQzj0=", "controller"=>"user_sessions"}
  User Load (0.5ms)   SELECT * FROM "users" WHERE (LOWER("users".email) = 'batman92withrainbows') LIMIT 1
  RPXIdentifier Load (0.3ms)   SELECT * FROM "rpx_identifiers" WHERE ("rpx_identifiers"."identifier" = '[url]http://www.facebook.com/profile.php?id=650028102[/url]') LIMIT 1
  User Load (0.3ms)   SELECT * FROM "users" WHERE ("users"."id" = 1)
Rendering template within layouts/application
Rendering user_sessions/new
Completed in 933ms (View: 10, DB: 1) | 200 OK [[url]http://dev.tgstr.com/user_session?authenticity_token=vbKj4eniKE38KlMnM6XT26ezf9BoIrh1ngvKQFmQzj0%3D[/url]]

With it turned ON I see the line 'User Load (0.5ms)   SELECT * FROM "users" WHERE (LOWER("users".email) = 'batman92withrainbows') LIMIT 1', I think this is messing up the normal authentication because it is trying to load a user that does NOT exist, it is using the Apache HTTP mod_auth username as the email to lookup the user.

Any thoughts/suggestions/ideas would be greatly appreciated.

Thanks =~ Jer