I have a Rails 4.2 app that uses rails_admin to manage CRUD actions for its models. It requires current_user.admin? == true for access.
I have just added A/B testing using the Split gem. I want to use the same authorization to allow admin only to view the split dashboard and thought the easiest way might be to create the route within the admin panel such that the dashboard would be available at example.com/admin/split.
I can mount the Split::Dashboard at 'admin/split' but that simply bypasses the admin authorization altogether.
Instead, I want to add a button/link with the rails_admin dashboard that redirects to admin/split where the dashboard is mounted within rails_admin.
Help appreciated.
split's webinterface is a sinatra app. It will not know anything about the rails_admin engine just by mounting it into the same url path. Check out the doc for the split interface https://github.com/splitrb/split#web-interface.
and https://steve.dynedge.co.uk/2011/12/09/controlling-access-to-routes-and-rack-apps-in-rails-3-with-devise-and-warden/
Rack::Auth::Basic will obviously not work for you, since it's basic http auth. So you have to use the second method by sticking you custom request middleware. The current_user will not be available there, since it's added by typical auth gems into the rails controllers. However if your lib is using warden for authentication ( like devise does), the info will be in request.env['warden']. Otherwise you will have to get the session id out the request.env["rack.session"]
Related
I have a script that retrieves a webhook (meaning it has to be deployed as a publicly accessible App), and then uses an API to send a message.
The API requires using a key and secret, which I obviously don't want accessible to the public.
Q1: Is there a way to hide an API key/secret in another script and somehow have it accessible?
(Or any other similar solution - doesn't have to be fancy, just functional/safe).
Alternate Question:
Q2: What can a stranger actually see in my public Apps Script project? The full code? If I hide keys in a functions with an underscore ie. function name_(){}, can they read it?
IMPORTANT INFO: I have not 'shared' the project or spreadsheets with anyone, they're still private. But I've 'deployed' the Web App with permissions for 'anyone'. I assume that means anyone can access?
Everything in the script is visible to whoever has access (script owner, workspace admins, added users). Unless only the url of the webapp is shared and if the script itself is not shared then they are not able to access the script, so technically you can still keep them in your script. It is safe there and only the owner and workspace admins (if it is for Google workspace) can access it.
A way you can store/save the key is by storing it in script properties. Doing this you only need to run the script once to store the API key, moving forward you can remove the API key from the script and it will still run:
https://developers.google.com/apps-script/guides/properties#saving_data
Also refer to this post for more information, in my posted answer I have also provided alternatives and reference links:
Is it safe to put in secrets inside Google App Script code?
My project meet this issue, too. Because the amount of functions is not too much , So i hide my main GAS behind an dummy one .
So far I had 2 GAS
the main GAS with key , and all functions , and I deploy it as Web APP
Of cause u need doGet or doPost to do as entrance of API
The dummy one to share with users.
Then you can call something like below in dummy GAS
var url = 'https://script.google.com/macros/s/xxxxxxxxxxx/exec';
UrlFetchApp.fetch(url,{'method': 'get'});
I hope its useful in your case.
I have create a route that showing openAPI documentation in expressjs using the #wesleytodd/openapi package. The route successfully showing my documentation but I want to set a form that if user wants to see my documentation they must have to log in first (I set for them).
May be it looks like in this question: HTTP authentication cpanel
Welcome to StackOverflow 👋
you can make use of a button, it will depend on your SecuritySchemes authentication as well the generator you are using
and when pressing the button, you will get
images above are from SwaggerHub platform
So i want to develop a simple web application, which will basically be a basic form which on submission will allow to make an external api request. So are there any application designers that can allow to do that with minimalistic code. Appian for example has an interface/application designer that lets you drag and drop a UI interface and build a workflow, make api calls externally or to a database. So like that are there any other apps that allow to do something similar (make api calls/build ui easily/store in databse)? Any other suggestions are also welcome!
It heavily depends on the API as well as the kind of task you´re trying to achieve.
Here´s just a few examples and considerations. (All the below supposes that we´re talking about Web-Based APIs).
If the API requires authentication of some sort and the user authenticates himself: A simple HTTP file with JavaScript to send the request will do the job
If the API requires authentication but you authenticate for all the users: You will need a backend application that does the API request since you need something secure where you can put your Auth-Details for the API. Classic PHP or NodeJS in combination with a served HTTP file for the form itself would work without any JavaScript (depends on the API definitions)
If the API does not require authentication maybe a simple HTML form would work
If you want to write to a database you can have a look at something like https://directus.io/. They allow building a database with a UI and they automatically generate a Web-API which you can then feed by your forms. If the end-user is known to you Directus actually allows users to log in and fill the database with forms that you can visually design but this is rather for employees entering data into an internal database than customers submitting their contact data to you
From my personal experience, all the UI-Tools that promise to integrate with REST APIs make it really hard to do so since every API is different and there is no real standard for them.
I've been using ember, node, express since 2 months ago.
I've developed an small app, now it's time to add user auth to it but I can't figure out how to do this.
There are a few questions I have:
1.- In SPA apps, where there's only index.html, I include all .js ember files. So, the user could be able to see all the app logic without auth?. How can I add the libs only when the user has been auth?
2.- What's the right way to auth in ember? I haven't seen a solution in official documentation.
3.- How the frontend communicates with the backend, what's the logic here? It's in every route?
Also I'm looking for an example or tutorial.
Thanks you!
I believe these videos target exactly your question
http://www.embercasts.com/episodes/client-side-authentication-part-1
http://www.embercasts.com/episodes/client-side-authentication-part-2
just to mention a great resource for ember tutorials http://emberwatch.com/ - it contains screencasts, books, talks.. articles - all you need to get started.
There is nothing bad about "seeing logic", you are protecting data, not code. Still, if you really want to protect your code, you can create a separate login page and require authentication for every other resource (app html, styles, scripts, etc.). But protecting EVERY resource of your app means that you can't delegate handling static files to nginx or cdn or whatnot. So, think carefully.
There are to approaches: embedded authentication and separate login page. For the first one you can use https://github.com/Vestorly/torii or https://github.com/simplabs/ember-simple-auth. If you decide to go with the second, you can just use authentication provided by your backend (passport.js, etc) and redirect to login page on failures.
Nothing special, you just write your model methods and handle possible authorisation errors. You might also want to have a user object around to use in your template and route logic.
When you create a model/controller using sails generate user, which models are available? For instance, I know there some like basic CRUD, etc, but how to see all available methods?
PS: Unless I got it all wrong and there are no CRUD methods at all. I'm still learning Sails, so please forgive if its a silly question.
Basically, there are two groups of actions provided by Sails.js blueprints for a newly generated model/controller pair:
REST API: get /:controller/:id?, post /:controller, put /:controller/:id, delete /:controller/:id. These are classic REST set that should be the one being used in production. You can enable/disable these blueprints via rest property in config/controllers.js.
CRUD actions aka shortcuts: /:controller/find/:id?, /:controller/create, /:controller/update/:id, /:controller/destroy/:id. Inspired, by Rails' RESTful conventions, the shortcuts provide a way to call all the REST actions from browser address string, using GET HTTP method only, which can be very handy for developers. These can be enabled/disabled using shortcuts property in config/controllers.js, and it's a good idea to disable them in production (for example, using local environment settings (config/local.js)).