Project

rack-url_auth

0.0
No commit activity in last 3 years
No release in over 3 years
rack-url_authmaca/rack-url_authHomepageDocumentationSource CodeBug TrackerWiki
Middleware for signing urls
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
6,092
Stars
2
Forks
2
Watchers
3
 Releases
Current version
0.2.1
Total releases
2
First release
2013-06-20
Latest release
2017-09-11
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2015-10-10
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 1.3
rake
>= 0

Runtime

addressable
>= 0
ruby-hmac
>= 0
 Project Readme

Rack::UrlAuth

Rack::UrlAuth is a Rack middleware for HMAC URL authentication.

The most obvious use case would be a service that allows its users to perform an action by clicking on an email sent to them, such as activating an account, claiming a discount coupon or reseting a password.

The user would receive an email with a link to an url such as: http://example.org/accounts/1/activate?expires=2013-12-12&signature=bf3a53...

Because any tampering with the query string or any other url component can be detected, the service can tell if the person is authorized to perform that action.

Keep in mind that all GET actions should be idempotent, meaning that accessing them every time yields the same result.

Amazon S3, Braintree and may other services use this same principle to authenticate requests by either signing the request body or the url.

Installation

Add this line to your application's Gemfile:

gem 'rack-url_auth'

And then execute:

$ bundle

Or install it yourself as:

$ gem install rack-url_auth

Usage

Rails example

# config/application.rb
...

module MyApp
  class Application < Rails::Application
    config.middleware.use 'Rack::UrlAuth', secret: 'very-long-and-arbitrary-string'
    ...
  end
end

# controllers/application_controller.rb
class ApplicationController < ActionController::Base
  ...
  protected
  def authenticate_url!
    unless env['rack.url_auth'].url_authorized?
      render file: 'public/401', status: 401
    end
  end

  def sign_url(url)
    env['rack.url_auth'].sign_url url
  end
end

# controllers/private_stuff_controller.rb
class PrivateThingsController < ApplicationController
  before_filter :authenticate_url!, only: :view_private_thing

  def send_authorization
    signed_url = sign_url(view_private_thing_url(id: params[:id]))
    ApplicationMailer.
      private_thing_view_authorization(params[:email], signed_url).
      deliver
    ...
  end

  def view_private_thing
    # Not for you unless you are authorized ;)
    @thing = PrivateThing.find(params[:id])
    ...
  end
end

Resources

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request