Preventing calls to my JSON api outside the html app - ruby-on-rails

I've separated my front-end from my back-end, so that they communicate via JSON calls (generated by rails back-end).
i.e, my app calls get_info.json which runs a controller that returns ajax information to the front end.
How do I prevent a random user from directly running the get_info.json script, and thus directly accessing the JSON information?

You need to implement authentication for the json api.
It can be as simple as passing an api_key param to every request.
Or you can restrict the access to the route to a specific IP.
get "/posts" => "posts#show", :constraints => {:ip => '127.0.0.1'}

If front-end and back-end are in the same RoR application, then you can use CSRF token.
just pass a param to json call like get_info.json?token=<%= form_authenticity_token.html_safe %>, then in your back-end controller check if if params[:token] == form_authenticity_token.
hope this helps you.

Related

Rails - Sending a GET Request

I'm trying to retrieve a user's Google account information when a form is submitted. In order to do so, I have to make a GET request to an url. Here's what it says in the YouTube API documentation
To request the currently logged-in user's profile, send a GET request
to the following URL. Note: For this request, you must provide an
authentication token, which enables YouTube to identify the user.
https://gdata.youtube.com/feeds/api/users/default
https://developers.google.com/youtube/2.0/developers_guide_protocol_profiles?hl=en
How do I make it so a custom (or specificall this) GET request happens when the form is submitted, and how do I provide the authentication token? Information that might help: When the form is submitted, it will go to the VideoController's new method.
Also after making the request, how do I access the information? I need to see whether <yt:relationship> is present or not in the given information.
Thanks!
I find HTTParty gem as very useful for working with external APIs in rails.
You can make requests as
response = HTTParty.post("http://www.example.com", :timeout => 5, :body => "my body content", :query => { hash_of_params_here } ,:headers => {'Content-Type' => 'application/json', 'AuthKey' => "your_key_here"})
response object will have 'statuscode', 'headers', 'body' etc (whatever youtube send back in your case). You can access its content using
response.parsed_response
same for get requests too
Please do read more about it for better understanding before getting started.
Sources : Documentation & Tutorial
Yuo can use excon gem to make specific CRUD or only get requests to external resources, for example, it should be something like this:
Excon.post('http://youtube.com', :body => 'token=sjdlsdjasdljsdlasjda')
PS: But seem you not requied the direct gems, tru useing google-api gem, as it described here in the documentation.

Get raw parameter data in Ruby on Rails

I have a ruby on rails api where I want to sign my request data by appending a hashed version of all passed in parameters to the request and rebuild this one at the server side as well to validate the integrity of the requests.
When I simply use the params method in the controller I have different parameters (e.g. for an update-method which is specified by this:
put 'login' => 'login#update'
I get as parameters on the server:
{"timestamp"=>"1399562324118", "secured"=>"xxx",
"login"=>{"timestamp"=>"1399562324118", "secured"=>"xxx"}}
although I only send the request from the client with
{"timestamp"=>"1399562324118", "secured"=>"xxx"}
Does any one have an idea how to get rid of this "login" parameter in the params list in a generic way? I do not want to exclude this for every single request of my api.
Thanks a lot!
Per the Rails Edge guide on ActionController:
"If you've turned on config.wrap_parameters in your initializer or calling wrap_parameters in your controller, you can safely omit the root element in the JSON parameter"
See http://guides.rubyonrails.org/action_controller_overview.html#json-parameters

Rails 3 - is link_to with parameters secure?

As a general rule of thumb you aren't supposed to trust any input of data from users. If you had a simple link_to with a parameter:
link_to "Click me", test_path(:my_param => "test")
The route might look like: example.com/test?my_param=test
How do I know if the param, or any injected data for that matter, is being filtered properly? The Rails 3 API doesn't specify that it filters data that is passed to the controller, but I want to make sure that the params[:my_param] is filtered securely in the controller before I utilize the params data.
Any thoughts?
Rails framework doesn't secure things by default for GET request. link_to tag is sending a http get request.
If it is a POST/PUT/DELETE request then the Rails uses protect_from_forgery for verify the data sending url
However in your case, its not hard to write a simple method to verify your data for get requests ,
you could write a before_filter to check the sending parameters for a GET request
HTH

How to route one URL to different controller/action with json data in Rails 3

I am writing server end of a JavaScript app. But engineer who write js and design APIs of this app decided all of ajax send json data to "one" URL, like this:
{
"id":"...",
"method":"method_name",
"params":{...}
}
So, I must provide different service for different "method_name". And the Rails router can not address this problem.
I can use the Object.send method routes the different service to different method, but, I want to distribute my code to different Controller class.
Can I parse the json data in route.rb file? Then route the /url/method_name to controller/action ?

Utilizing A Devise Session Through Flex With Rails3-AMF

I have a Flex front end and a Rails 3 back-end that I would like to establish a session to. Before you can access the page embedded with the flex front-end, you are prompted with a html login page through Devise.
I am able to login fine through the html page but cannot get access to the session with Flex using amf requests.
I have the rails session token in flex but cannot pass them into rails correctly. I am attempting to pass the sessiontokin in through a "send" service call like
somethingService.new.send(session_id: '###', _csrf_token: '###' )
and rails is receiving the session param in a hash as like
{0=>{"session_id"=>'###')}}
instead of like
{"session_id"=>'###')}.
Any suggestions on how to fix this issue or to utilize a session with Flex/RubyAmf/Rails are welcomed.
Thx.
It's been a while since I've done anything with integrating flex & rails, but I have a vague memory that the params come through as {0 => params} if not explicitly mapped in the configuration. The rails3-amf readme on github uses this example:
config.rails3amf.map_params :controller => 'UserController', :action => 'getUser', :params => [:session_id]
If your not already, perhaps explicitly defining the session_id in the :params would make the difference?

Resources