Episodes
jujudellago PRO said over 1 year ago on Cross-Origin Resource Sharing (CORS) :
As I was struggling to secure my rails app, I thought this tutorial come right on time, unfortunately I'm still having a crucial problem.

While I could follow the steps, and configure rack-cors to allow requests from specific domains, what I really need to do now is make sure only my app can call the pages such as that /users.json.  With rack-cors I can avoid other websites calling my site, but how can I avoid people calling the pages via curl  for example  ? 

I wrote ruby wrappers to call other apis so that I would not expose my credentials in the javascript calls, so now my credentials are hidden, but I build access points who are totally opened to the world, even easier to use than the original API's as they don't require authentication....

I thought adding "protect_from_forgery" in the controller should take care of this but it has no effect.

is there a way to secure get requests as such ? or do I need to rewrite my app to use posts instead ? I'm a bit lost because I learned this process following this other tutorial
https://www.driftingruby.com/episodes/deeper-dive-into-stimulusjs











David Kimura PRO said over 1 year ago on Cross-Origin Resource Sharing (CORS) :
  jujudellago Can you explain your requirements a bit more? I understand that you're wanting to prevent anything from calling your application except for your application specifically (whether front end or back end). For your particular example with the /users.json, is there any checks in place on that action to only return authorized users, rate limiting, pagination, etc? Is your front end completely separated from the back end?

Unauthorized users should return 401. You should pass a cookie with the session or a JWT to validate a user's access to the resource.

jujudellago PRO said over 1 year ago on Cross-Origin Resource Sharing (CORS) :
well I didn't plan anything like passing a cookie or JWT for this case, I assumed there would be an easy way to prevent external access..

the json calls are in the same app, I use them to populate some datatables, working as server side. 

after some research I ended up replacing the GET by POST, added the csrf_token to the requests, and got the system secured

vincent.github said about 1 year ago on Cross-Origin Resource Sharing (CORS) :
hi i was looking for a smart solution to deal with cors. And to be honest I haven't found within the video and code the mission that I m targeting.
here the deal for me. I want to let access to some ajax or fetch, based on the environment, and also only allow requests from the same environment.
I agree it's not easy to explain within few sentences, but here the thing: how only allow requests from www.example.com to www.example.com/api/....

so here my code but seems to not do the job yet probably need some more from you. Waiting your dedicated answer :-)

# within config/initializers/cors.rb
# ENV["CUSTOM_RAILS_ENV"] is kinda solution to execute some instence variables based on staging, production...
# ENV["URL_DOMAIN"] is the url like www.example.com (for production) but it will https://example.herokuapp.com/... for staging environment

case ENV["CUSTOM_RAILS_ENV"].to_sym

when :staging || :landing_page || :production
  puts ""
  print(":staging || :landing_page || :production CORS")
  puts ""
  Rails.application.config.middleware.insert_before 0, Rack::Cors do
    allow do
      origins "*"
      resource "*",
               headers: :any,
               methods: :get,
               if: proc { |env| env["HTTP_HOST"] == ENV["URL_DOMAIN"] }
               # 💎 for instance here i am expecting that URL_DOMAIN is www.example.com
               #  only  requests from www.example.com are alowed to www.example.com/api/...
    end
  end
when :local
  puts ""
  print("Local CORS")
  puts ""
  Rails.application.config.middleware.insert_before 0, Rack::Cors do
    allow do
      # origins '3f3439f8d20e.ngrok.io'
      origins "localhost:3000"

      resource "*",
               headers: :any,
               methods: %I[get post put patch delete options head]
    end
  end
else
  print("There is an error inside cors setup")
end

vincent.github said about 1 year ago on Cross-Origin Resource Sharing (CORS) :
Another way to describe my user story. could be to say:

"hey, I have pushed my new release on www.example.com. I have some paths for api, those paths could be found by user if they inspect the console, and I don't want to let them access my www.example.com/api/v1 from any localhost or console but only when they are using my webapp"

How can I do this? Should I only use something like ``` acts_as_token_authentication_handler_for Owner``` and ```before_action :authenticate_user!``` respectively within foo_controller and base_controller

vincent.github said about 1 year ago on Cross-Origin Resource Sharing (CORS) :
sorry for Owner it was User


David Kimura PRO said about 1 year ago on Cross-Origin Resource Sharing (CORS) :
  vincent.github It looks like in your staging, landing_page and production block, you allow all origins

origins "*"

Could you set an environment variable in place and things work properly?

origins ENV["URL_DOMAIN"]

vincent.github said about 1 year ago on Cross-Origin Resource Sharing (CORS) :
That makes sense :) 
I m pushing it right away,

huge thanks for your very fast answer, 
Can't wait to see if all is fine 

Login to Comment