I have a problem with Heroku and my ReactJS application on the front-end side. I have RESTfull API with Ruby on Rails uploaded on the Heroku server ( to do some testings before I purchase actual hosting), and suddenly from today, i cannot use my API on the Heroku, due Privacy and SSL errors ( I didn't change or update anything on Heroku and the API). I got those errors on the browser :
I cannot find any solution online. Any suggestion?
You can use rack cors to enable CORS. Add this code to your config/application.rb
use Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: :any
end
end
Related
I'm trying to setup a simple Rails application with OmniAuth using google auth.
When running the application on heroku, I get the following error when I try to access the oauth route, either directly or via redirect:
redirect_uri_mismatch
Request details:
access_type=offline
client_id=631910956855-pbglluk1ofb6vjmub9a0fucs8b0r5map.apps.googleusercontent.com
redirect_uri=http://stock-scraper-rails.herokuapp.com/auth/google_oauth2/callback
response_type=code
scope=email profile
state=94be59d4d241b70c83406ce59c36e7fc8d50279c
Works perfectly fine locally. I tried using a ngrok tunnel, and it also works.
Full url: https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=631910956855-pbglluk1ofb6vjmub9a0fucs8b0r5map.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fstock-scraper-rails.herokuapp.com%2Fauth%2Fgoogle_oauth2%2Fcallback&response_type=code&scope=email+profile&state=ac4cf27b4e2b534d854136ad25a102e2c1ff772d07dc84b8
My app is hosted on http://stock-scraper-rails.herokuapp.com
You could go to /auth/google_oauth2 to see the error yourself.
I've search a bit but couldn't solve the problem. Here's what I already tried/did, but didn't solve the problem:
added domain to authorized domains
some answers to similar problems suggested waiting, because sometimes it takes google a while for google to update changes to domain. However, I have waited several hours already and the error persists
double/triple checked if my environment variables where correct on Heroku
checked Heroku log; there's no error there
setting OmniAuth.config.full_host manually
Callback route:
get '/auth/google_oauth2/callback', to: 'auth#oauth_callback'
I'm not using devise, by the way. Currently I simply want the controller do store some data in the session:
class AuthController < ApplicationController
def oauth_callback
authentication_google_data = request.env['omniauth.auth'].except(:extra)
user_email = authentication_google_data['info']['email']
# rest ommited
end
end
OmniAuth configuration:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET']
end
Relevant gems versions:
rails (6.0.2.1)
omniauth (1.9.0)
omniauth-google-oauth2 (0.8.0)
omniauth-oauth2 (1.6.0)
Also tried to downgrade omniauth-oauth to 1.3.1, because read that there was a version causing a similar issue, with no success.
Any other ideas on what I could try would be very helpful :)
I figured out what the problem was. On the google developer console for my app, on
OAuth 2.0 Client IDs, I had created an ID with type "Other" instead of "Web application".
Creating a new one on https://console.cloud.google.com/apis/credentials?project=myproject with the type "Web application" and adding the callback url (both http and https) to Authorized redirect URIs solved the problem.
I am upgrading Rails application from Rails 4.1.1 to Rails 5.1.4.
I have 2 applications, One is Web app(using for angular), and other is API app.
What I am doing, I am sending request from Web app(Rails with Angular) and fetching data from API app. But when I send request from Web app got error mentioned below:
Failed to load http://api.myapp:3001/user: Response to preflight
request doesn't pass access control check: The value of the
'Access-Control-Allow-Origin' header in the response must not be the
wildcard '*' when the request's credentials mode is 'include'. Origin
'http://myapp:3000' is therefore not allowed access. The credentials
mode of requests initiated by the XMLHttpRequest is controlled by the
withCredentials attribute.
http://myapp:3000' -> Web application and request sending to API
http://api.myapp:3001/user -> API application to send response
After google the issue, I found one gem called rack-cors.
In Web and API both application, I have added
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
But still getting the issue. Please let me know.
Well, the message:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include']
Seems that you are sending credential information from your Angular application and the domain is not whitelisted. You could try, for test, set withCredentials to false, or permit the domain.
This could help you: http://50linesofco.de/post/2017-03-06-cors-a-guided-tour
In a rails app I am setting
config.force_ssl=true
This is working great, but I am concerned about a situation where a gem I am using redirects to a url in the following format:
http://example.com/secure_url?secret_token=abc
Rails then redirects to
https://example.com/secure_url?secret_token=abc
However, I'm worried that the secret_token will be exposed during the original http request before it is redirected to a secure connection. Is this a legitimate security concern?
I have a Rails 4.0 e-commerce app that enforces HTTPS on the checkout page, while enforcing HTTP on other pages (due to unavailability of 3rd party HTTPS libraries). I'm deploying on the Heroku cedar stack at a custom domain, and after I've accessed the HTTPS page once using Firefox, all future HTTP requests get converted to HTTPS.
As a result, by application gets stuck in an infinite loop of redirects (my app detects HTTPS request and redirects to HTTP, and firefox keeps sending back an HTTPS request). I don't get this problem with other browsers- Chrome and Safari.
On searching online I found-
- It's a Firefox 'bug'. If browser history contains HTTPS communication with the domain, then it enforces HTTPS on all future requests.
- A possible solution was to configure a .htaccess file, but I'm not sure of how to do that on Heroku, and whether that would work with Nginx or if that's only for Apache. Solutions details are here- https://support.mozilla.org/en-US/questions/933563
Is there a solution to this problem? Any help will be much appreciated.
To redirect from HTTPS to HTTP, I have a before_filter in a Controller:
*
before_filter do
if request.protocol == "https://"
redirect_to :protocol => 'http://', :status => :moved_permanently
end
end
*
To force HTTPS on checkout page, I use:
*
force_ssl
*
I've deployed my app on to a Ubuntu VPS using Capistrano, nginx/
Passenger and a wildcard SSL certificate.
The app works fine on development and my staging environment on
Heroku.
However, there are two problems on production when users sign into the
site using a secure page.
On latest Chrome and Firefox the browsers start to enforce HTTPS
requests on every single request every time. Regardless if the user is
signed in or not. Even if I disable SSL on nginx the browser still attempts HTTPS and complains it cannot connect. The main page serves some insecure dynamic embedded
items and uses an insecure CDN so I would like to serve that page as non-
SSL. Whenever I tried to redirect a page to non-SSL either through
nginx rewrite or a before filter in Rails it will cause an infinite
redirect loop.
Safari does not have the first problem as above it respects both
HTTPS and HTTP requests. However, when the user has logged in and
browses to a non-SSL page they are signed out or lose the session
instantly.
Has anyone encountered such a problem before or have an idea on how I could diagnose/fix the problem?
Thanks
Were you using Rails 3.1 force_ssl to enable SSL, or a gem?
When you enabled HTTPS, you also enabled the the HTTP Strict Transport Security flag, which the browse uses to immediately go to any HTTPS page on that domain before it sends the request to the server.
On Chrome, enter chrome://net-internals/#hsts into your browser and then you can delete your domain from the HSTS list which should fix it for Chrome. Can't speak for Firefox as I don't use it that often.
The issue with it losing session is likely because Rails is setting the authentication cookie as secure which means they are only sent for HTTPS requests and not HTTP. Make sure your cookie_options in Rails are not setting :secure => true. Also check the Devise cookie_options setting to ensure that :secure => true isn't being set.