When blocklisting broad IP ranges using the Rails Rack::Attack gem, it can be valuable to have a break-glass HTTP header so that legitimate users in a blocked range can still access the webapp.
The Rack::Attack docs provide most of the information on how to do this, however the syntax in the current example does not match the format of a header injected into the browser using an extension such as SimpleModifyHeaders.
As it turns out, any such headers are uppercased and prefixed with HTTP_. So if in your browser extension you set your header as SuperSecretKey, Rack::Attack would pass it through as HTTP_SUPERSECRETKEY.
The below code snippet illustrates, and also dumps out all headers to the console as a comma delimited list.
class Rack::Attack p "~~~~~~~~ RAAAACK ATTAAAAAAAACK ~~~~~~~~" # whitelist by HTTP header Rack::Attack.safelist("mark any authenticated user as safe") do |request| p "~~ HEADER CHECK ~~" p request.env.sort.compact.reject(&:empty?).join(',') puts request.env.key?("HTTP_SUPERSECRETKEY") puts request.env["HTTP_SUPERSECRETKEY"] request.env["HTTP_SUPERSECRETKEY"] == "Hunter2" end end
gem update --system # update Rubygems
gem install bundler # update bundler
bundler update --bundler # update Gemfile.lock in your project
The error message
>bundle exec guard
14:41:40 - INFO - Guard::RSpec is running
14:41:40 - INFO - Guard is now watching at '/Users/user/project'
14:41:52 - INFO - Running: spec/spec.rb
You must use Bundler 2 or greater with this lockfile.
14:41:52 - ERROR - Failed: "bundle exec bin/rspec -f progress -r /Users/user/project/vendor/bundle/ruby/2.6.0/gems/guard-rspec-4.7.3/lib/guard/rspec_formatter.rb -f Guard::RSpecFormatter --failure-exit-code 2 spec/spec.rb" (exit code: 20)
For some reason rspec was running horribly slow on my macOS laptop, with a simple test suite taking over 30 seconds to run. This made TDD almost unbearable:
Finished in 27.29 seconds (files took 33.71 seconds to load)
8 examples, 2 failures
After some googling, the recommended approach is to compile spring binstubs for rspec. For good hygiene, we’ll use bundler to do this, and use guard so we can leave a terminal window open on a second monitor and see test results automatically after saving code changes.
# edit /Gemfile
group :development do
>bundle install --path vendor/bundle --without=production --binstubs # install gems into vendor/bundle
>echo 'vendor/bundle' >> .gitignore # don't track installed gemfiles
Now replace the bundler rails binstubs with updated rails gem versions and insert spring:
>bundle exec rails app:update:bin # now regenerate standard rails binstubs
>bin/rails app:update:bin # norly plox use teh rail binstubs
>bundle exec spring binstub --all # use spring versions of binstubs
>bundle exec guard init # create guard config file /Guardfile
Note: bin/rails can get overwritten by bundler and stop accepting commands eg “bin/rails server” will show the default output of “rails” instead of launching the server. This can be fixed by running “bundle binstubs railties” then updating the binstubs again as per the instructions above.
Running “bundle config –delete bin” will stop bundler from blatting bin/rails but this also means you will need to manually generate binstubs using eg “bundle binstubs cucumber”.
Note also that bundler pulls in config from $APP/.bundle/config and ~/.bundle.config, so disabling binstubs in your app folder can be overridden by your home directory config.
# edit /Guardfile
guard :rspec, cmd: “bundle exec bin/rspec”, failed_mode: :keep do
>bundle exec guard
Finished in 1.72 seconds (files took 3.17 seconds to load)
5 examples, 2 failures
From 33 seconds to 3 seconds. Nice!
Note: now instead of using “bundle exec” rails or rake, use bin/$GEMNAME eg “bin/rails console”. The spring server running in the background will respond much faster than booting rails each time.