Rails security via ember

addis_a · February 4, 2015, 7:11pm

There is a rails app that servers an ember.js application via
rails-ember
and another site that has the data. Once the ember app is running it
gets
ember-data from a data server. In a couple of cases it can also do puts
to
the data server via ember data model.save() calls …

The ember app on a put does an http options method. For some reason the
options method does not have the api_key that the other methods
typically
have.

Here are changes I made to the rails data server:

============

application.rb in config:

here I tried to add a specific rule for put, but it did not seem to

work ?

so my rule is very general allowing any put for now

…

config.middleware.use Rack::Cors do

  allow do

    allowed_origins = (ENV['CORS_ORIGINS'] || '').split(',')

    origins(*allowed_origins)

    resource '*', headers: :any, methods: [:get, :options, :put]

    # !!! seperate rule not working ?

    # resource '*/comments/*', headers: :any, methods: [:get,

:options,
:put]

  end

end

##########################

in my app controller I do not check for logged in user for an options

method as I am not sure why it does not get an api_key

class ApplicationController < ActionController::Base

protect_from_forgery

before_filter :authenticate!

def authenticate!

unless request.method.eql?('OPTIONS')

  unless current_user

    render json: { error: 'Unauthorized access' }, status: 401

  end

end

end

#########################

one of my other controllers that gets a pre flight options

method from ember, I did the following:

skip_before_filter :verify_authenticity_token, :only => [:options]

#########################

If anyone has any comments on how this may work as a solution, how to
improve it etc … that would be appreciated … thanks