Skip to content

Instantly share code, notes, and snippets.

@rbf

rbf/access_obfuscator.rb

Last active October 1, 2017 07:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rbf/b5f962978b3cff165cbdcdb37f19ad3f to your computer and use it in GitHub Desktop.
Save rbf/b5f962978b3cff165cbdcdb37f19ad3f to your computer and use it in GitHub Desktop.
Download ZIP
Rake middleware (for Rails) to simply obfuscate application access
Raw
access_obfuscator.rb
# The MIT License (MIT)
#
# Copyright (c) 2017 https://gist.github.com/rbf
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# AccessObfuscator
#
# SOURCE: https://gist.github.com/rbf/b5f962978b3cff165cbdcdb37f19ad3f
#
# When an application is deployed on a PaaS like Heroku it is visible to all
# those knowing the url. In order to prevent the discovery of the app before the
# intended release, we obfuscate the access with a secret token. In order to
# access the app, this secret token (which is configured in an ENV variable with
# the name OBFUSCATED_ACCESS_TOKEN) must be provided at least on the first app
# request as a query parameter with the name 'oat'. The token must be provided
# only once each time the app is restarted, since the ip of the requestor gets
# whitelisted in memory (not into the DB). If the ENV variable
# OBFUSCATED_ACCESS_TOKEN is not present or it's a blank string, the access to
# the app will not be blocked.
#
# To install the middleware, add the following lines at the end of the
# configuration file in /config/environments/production.rb:
#
# if (oat = ENV['OBFUSCATED_ACCESS_TOKEN'])
# config.middleware.use AccessObfuscator, oat
# end
#
# SOURCE: http://ieftimov.com/writing-rails-middleware
class AccessObfuscator
OBFUSCATED_ACCESS_QUERY_PARAM = 'oat'.freeze
UNAUTHORIZED_RESPONSE = [
401,
{ 'Content-Type' => 'text/html' },
['Unauthorized']
].freeze
def initialize(app, obfuscated_access_token)
@app = app
@auto_whitelisted_ips = Set.new
@obfuscated_access_token = obfuscated_access_token
end
def call(env)
if @obfuscated_access_token.present?
check_obfuscated_access(env)
else
allow_access(env)
end
end
private
def check_obfuscated_access(env)
request = Rack::Request.new(env)
if allow_access?(request)
whitelist_ip(request)
request.delete_param(OBFUSCATED_ACCESS_QUERY_PARAM)
allow_access(env)
else
block_access(env)
end
end
def allow_access?(request)
whitelisted_ip?(request) || valid_token?(request)
end
def whitelisted_ip?(request)
@auto_whitelisted_ips.include?(request.ip)
end
def whitelist_ip(request)
@auto_whitelisted_ips << request.ip
end
def valid_token?(request)
request[OBFUSCATED_ACCESS_QUERY_PARAM] == @obfuscated_access_token
end
def allow_access(env)
@app.call(env)
end
def block_access(_env)
# Stop the middleware chain and return 'Unauthorized'
UNAUTHORIZED_RESPONSE
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment