As I was struggling to secure my rails app, I thought this tutorial come right on time, unfortunately I'm still having a crucial problem.
While I could follow the steps, and configure rack-cors to allow requests from specific domains, what I really need to do now is make sure only my app can call the pages such as that /users.json. With rack-cors I can avoid other websites calling my site, but how can I avoid people calling the pages via curl for example ?
I wrote ruby wrappers to call other apis so that I would not expose my credentials in the javascript calls, so now my credentials are hidden, but I build access points who are totally opened to the world, even easier to use than the original API's as they don't require authentication....
I thought adding "protect_from_forgery" in the controller should take care of this but it has no effect.
is there a way to secure get requests as such ? or do I need to rewrite my app to use posts instead ? I'm a bit lost because I learned this process following this other tutorial https://www.driftingruby.com/episodes/deeper-dive-into-stimulusjs
jujudellago Can you explain your requirements a bit more? I understand that you're wanting to prevent anything from calling your application except for your application specifically (whether front end or back end). For your particular example with the /users.json, is there any checks in place on that action to only return authorized users, rate limiting, pagination, etc? Is your front end completely separated from the back end?
Unauthorized users should return 401. You should pass a cookie with the session or a JWT to validate a user's access to the resource.
hi i was looking for a smart solution to deal with cors. And to be honest I haven't found within the video and code the mission that I m targeting. here the deal for me. I want to let access to some ajax or fetch, based on the environment, and also only allow requests from the same environment. I agree it's not easy to explain within few sentences, but here the thing: how only allow requests from www.example.com to www.example.com/api/....
so here my code but seems to not do the job yet probably need some more from you. Waiting your dedicated answer :-)
# within config/initializers/cors.rb
# ENV["CUSTOM_RAILS_ENV"] is kinda solution to execute some instence variables based on staging, production...
# ENV["URL_DOMAIN"] is the url like www.example.com (for production) but it will https://example.herokuapp.com/... for staging environment
case ENV["CUSTOM_RAILS_ENV"].to_sym
when :staging || :landing_page || :production
puts ""
print(":staging || :landing_page || :production CORS")
puts ""
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins "*"
resource "*",
headers: :any,
methods: :get,
if: proc { |env| env["HTTP_HOST"] == ENV["URL_DOMAIN"] }
# 💎 for instance here i am expecting that URL_DOMAIN is www.example.com
# only requests from www.example.com are alowed to www.example.com/api/...
endendwhen :local
puts ""
print("Local CORS")
puts ""
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
# origins '3f3439f8d20e.ngrok.io'
origins "localhost:3000"
resource "*",
headers: :any,
methods: %I[get post put patch delete options head]
endendelse
print("There is an error inside cors setup")
end
Another way to describe my user story. could be to say:
"hey, I have pushed my new release on www.example.com. I have some paths for api, those paths could be found by user if they inspect the console, and I don't want to let them access my www.example.com/api/v1 from any localhost or console but only when they are using my webapp"
How can I do this? Should I only use something like ``` acts_as_token_authentication_handler_for Owner``` and ```before_action :authenticate_user!``` respectively within foo_controller and base_controller
While I could follow the steps, and configure rack-cors to allow requests from specific domains, what I really need to do now is make sure only my app can call the pages such as that /users.json. With rack-cors I can avoid other websites calling my site, but how can I avoid people calling the pages via curl for example ?
I wrote ruby wrappers to call other apis so that I would not expose my credentials in the javascript calls, so now my credentials are hidden, but I build access points who are totally opened to the world, even easier to use than the original API's as they don't require authentication....
I thought adding "protect_from_forgery" in the controller should take care of this but it has no effect.
is there a way to secure get requests as such ? or do I need to rewrite my app to use posts instead ? I'm a bit lost because I learned this process following this other tutorial
https://www.driftingruby.com/episodes/deeper-dive-into-stimulusjs
Unauthorized users should return 401. You should pass a cookie with the session or a JWT to validate a user's access to the resource.
the json calls are in the same app, I use them to populate some datatables, working as server side.
after some research I ended up replacing the GET by POST, added the csrf_token to the requests, and got the system secured
here the deal for me. I want to let access to some ajax or fetch, based on the environment, and also only allow requests from the same environment.
I agree it's not easy to explain within few sentences, but here the thing: how only allow requests from www.example.com to www.example.com/api/....
so here my code but seems to not do the job yet probably need some more from you. Waiting your dedicated answer :-)
# within config/initializers/cors.rb # ENV["CUSTOM_RAILS_ENV"] is kinda solution to execute some instence variables based on staging, production... # ENV["URL_DOMAIN"] is the url like www.example.com (for production) but it will https://example.herokuapp.com/... for staging environment case ENV["CUSTOM_RAILS_ENV"].to_sym when :staging || :landing_page || :production puts "" print(":staging || :landing_page || :production CORS") puts "" Rails.application.config.middleware.insert_before 0, Rack::Cors do allow do origins "*" resource "*", headers: :any, methods: :get, if: proc { |env| env["HTTP_HOST"] == ENV["URL_DOMAIN"] } # 💎 for instance here i am expecting that URL_DOMAIN is www.example.com # only requests from www.example.com are alowed to www.example.com/api/... end end when :local puts "" print("Local CORS") puts "" Rails.application.config.middleware.insert_before 0, Rack::Cors do allow do # origins '3f3439f8d20e.ngrok.io' origins "localhost:3000" resource "*", headers: :any, methods: %I[get post put patch delete options head] end end else print("There is an error inside cors setup") end"hey, I have pushed my new release on www.example.com. I have some paths for api, those paths could be found by user if they inspect the console, and I don't want to let them access my www.example.com/api/v1 from any localhost or console but only when they are using my webapp"
How can I do this? Should I only use something like ``` acts_as_token_authentication_handler_for Owner``` and ```before_action :authenticate_user!``` respectively within foo_controller and base_controller
Could you set an environment variable in place and things work properly?
I m pushing it right away,
huge thanks for your very fast answer,
Can't wait to see if all is fine