Read more

Resque: Clearance authentication for dashboard

Tobias Kraze
July 24, 2011Software engineer at makandra GmbH

Resque Show archive.org snapshot comes with its own dashboard (Resque server) that you can mount inside your Rails 3 application with

#config/routes.rb:

require 'resque/server'

My::Application.routes.draw do
  # ...

  mount Resque::Server => '/resque'
end
Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more Show archive.org snapshot

Unfortunately, since this bypasses the filters in your ApplicationController, everyone can access this dashboard now (unless you have some Rack-based authentication in place, like Devise Show archive.org snapshot ).

If you're using clearance, you can easily roll your own simple Rack-based authentication.

Change your routes.rb to
My::Application.routes.draw do
# ...

  mount AuthenticatingResqueServer => '/resque'
end

Put a authenticating_resque_server.rb into config/initializers:

require 'resque/server'

class AuthenticatingResqueServer < Resque::Server

  class ClearanceAuthentication

    def initialize(app)
      @app = app
    end

    def call(env)
      @request = ActionDispatch::Request.new(env)
      remember_token = @request.cookies["remember_token"]
      if skip_authentication? or (remember_token.present? and User.find_by_remember_token(remember_token))
        @app.call(env)
      else
        [ 401, { 'Content-Type' => 'text/plain', 'Content-Length' => '0' }, [] ]
      end
    end

    private

    STATIC_ASSET_PATTERN = /\.(css|png|jpg|js)$/

    def skip_authentication?
      @request.get? and @request.path_info =~ STATIC_ASSET_PATTERN
    end
    
  end


  use ClearanceAuthentication

end

Rack rules!

Tobias Kraze
July 24, 2011Software engineer at makandra GmbH
Posted by Tobias Kraze to makandra dev (2011-07-24 21:23)