I'm going to upload the app, I've been working on, on the Github and make it public. The app is a website, which is on Rails. The question is – how secure is that? Isn't making my app's code public increase the chance of breaking in?
Rails' source code is open source / public anyway, so if you're referring to someone finding a "backdoor" or something, surely it would have been done already?
--
Parts Of The Pie
The real question of uploading your code to github is whether your application is secure by doing it. This is more a question of data integrity than source code "secrets", and as #Andrew Marshall mentioned in the comments, will be more dependent on you protecting your API keys & other authentication details, than it will be about minimizing the threat of security compromise.
The other thing to remember is the modularity of Rails,
from a dependency perspective. The real value of an app is its
community - the people who care about uploading new content to it.
This means your database, partner applications, on-site experience & "marketing" are worth far more than your bare source code. Sure, the source is important, but it's just one part of the pie ;)
You'll be much better focusing on your stack (to make it extensible), your application's relevance to your community, and how you're able to extend the functionality with partner services
It all depends on how you secure your website to start. People can see all of your routes, so you need to protect restricted routes with before_action. If you have some kind of backdoor, they can see that too, so don't have one. If you follow good password encryption and login practices, you should be fine. The big file I would leave off Github is config/secrets.yml (as the name implies). But either way, most people aren't going to stumble across or care about reading your code, unless you advertise the link somewhere.
Related
So I looked around and found nothing that helps or clarify this question, suppose you have a ruby on rails (5.2) API and you want to save some URLs as part of a model definition, how to determine that the URL you are saving is safe? and by safe I mean, avoid URLs/links that may contain phishing and deceptive sites.
Thx in advance 👍.
Here is what I found so far, hope this help someone (that have the same requirement):
As pointed by #debugger there are multiple services that provide these functionalities, the best fit in my case are the ones below:
Safe browsing google API no commercial purposes
Web Risk for commercial purposes
The above are google APIs that can be used to check if a URL is safe or not.
In the last case you will be charged after a certain amount of request so maybe is a good idea to check if the URL/link is valid: valid URL gem
Background
I have a fairly typical Rails application, which uses Devise for authentication management. While building this app, I realized that realtime chat would be a great feature to have. Ideally, of course, this would make use of Websockets, in order to reduce the polling load on the server (as well as making it marginally easier to implement, as you don't have to manage polling).
I realized quickly that Ruby isn't really a great fit for having a large number of concurrent connections open at one time. Phoenix, however, is written in Elixir, so I can make use of the Erlang VM, which is quite good at long connections. It also seems like it could be greatly beneficial if all the chat data was stored separate from the main application database, which should also reduce load in the future.
The Problem
I want to be able to make this separation completely invisible to the user. They visit www.example.com/chat, and it loads all the relevant data in from chat.example.com and starts up the websockets, without requiring them to login to a separate service. I think using an <iframe> is probably the way to go about doing this.
My problem is sharing authentication and data between the two applications. The Rails app needs to be able to create conversations on the Phoenix app in response to certain events. The Phoenix app needs to know what user is currently authenticated into Rails, as well as general data about the user.
An OAuth flow with the Rails app as the ID provider seemed like a good fit at first, but I can't figure out a way for the Phoenix app to automatically be granted access. I also have some concerns about user records existing inside the Phoenix app—it should be aware of all users on the main application, so you can start a chat with a user even if they haven't ever opened chat.
What would be the best way to go about doing this? My intuition says that this is going to involve window.postMessage and some kind of token system, but I wanted to ask what the generally accepted way of doing this was before I accidentally created an insecure mess.
Sharing the session isn't too hard, assuming you are running at least Rails 4.1 and using JSON serialization (default for apps created with >=4.1). A quick google search finds PlugRailsCookieSessionStore, which accomplishes this.
For more information on what it takes to share a session between Rails and another language, Matt Aimonetti has an excellent blog post with detailed information.
Lastly, if you would prefer to stay entirely in Ruby, it's definitely doable. Ryan Stout discusses scalability around persistent connections in the FAQ for Volt, which uses a persistent connection for every user. The article he links is also a great read. Just mentioning it to help you weigh the trade off of building a separate app in another language.
I have installed jclouds and I am trying to learn how it works internally.
I read all the documentation on the site and on the github but still I have lot of questions about the architecture and implementation of the jClouds.
Do you know where I can find documentation about the deep technical implementation of the framework? I am also looking information on how to add a new provider( for blobstore service)
Currently I am looking into the code but it s not always straightforward what the code does.
The best thing to do is send an email to our dev list. You can subscribe by emailing jclouds-dev-subscribe#apache.org. You can also find us on IRC at #jclouds on freenode.
Adding a new provider is quite an important change for jclouds. The first thing you'll want to do is review How To Contribute. We need to make sure it will work properly and we'll be able to properly test it so don't be discouraged by the reviews.
Having said this, a number of general considerations to take into account when starting a new provider:
New providers are added in labs first, until they are stable.
To follow the jclouds style, use a 3 space indent and a 120 character line length.
We use Guava as our core library. Try to use its utilities before adding new dependencies. In general, do not add dependencies before consulting our dev# list.
We require both live and mock tests. "mock" tests verify that the api generates the expected request according to the method annotations, and that the response is properly parsed. We use MockWebServer to do that, and you can take a look at the MockTests classes in the openstack-swift api to see an example of how these tests work.
Often the best thing to do is to copy the entire directory structure of one of the existing apis or providers and delete everything that you don't need but keep some of the files around in each directory to server as an example of how to do things. You can rename those classes and start your work from there.
Which api or provider should you choose to use as an example for your work? It depends! Please email us on our dev# list to describe the work your doing and we will recommend one. The earlier you get engaged with the jclouds community, the easier the whole process will be.
Good luck!
I want to add a Ticket System to the web app I'm developing.
The idea is very simple:
Users can open tickets when they have problems and
the Admin can see the tickets the users have submitted.
I'm looking for a ticket system but I have found only systems that are external to the web. I want to add it IN my wep app.
¿Do you know any ticket system por rails?
Thanks
I think using some external gem like noted above would be either an overkill or a hassle due to mentioned bad documentation.
Judging by your problem description this is quite simple to implement.
Create model for tickets and associations with users (I assume you
already have users model fully set up).
Authorize access to tickets' actions depending on user status (admin
or not)
Create corresponding views
P.S.
You could have a look at Redmine code. It is an open source project management software written in rails. I am sure this could give you a good idea of how to build your own or even borrow bits of code from there (if the app license that you are building fits)
Maybe Simple-Ticket would fit you. Though beware the basic implementation and the fact that there is no documentation provided nor written specs.
Have a look at restrospectiva. It doesn't have any documentation though
This might be a nonsensical question, but I have this task to create a rails app that shares session information, specifically login/authorization info, with an installation of a phpBB that some other person has customized to be more than just a BB.
Basically I need to rely on the user's phpBB login to authorize access to the rails app. I really don't want to have the user maintain two logins to use this conceptual single app.
I read a lot of documentation on phpBB and didn't find anything like exposed services or an API, but I'm hoping I just missed something obvious.
I've been considering adding a method to expose some hash or something to link the two applications rather than try to squeeze possibly different implementations of session.
Quick context, this work needs to be done fast and cleanly and I've never developed in php and rails is super fast so I am investigating the idea of integrating the two sides.
I might be off in the weeds, so don't be afraid to say so :)
thanks!
Have you checked phpbb-auth?
https://github.com/mattfawcett/phpbb-auth