Rails form in external site with ajax - ruby-on-rails

Basically I'm wondering if it's possible to have a form on a site outside of mail Rails app to POST to a form in my Rails app. For example (not what I'm going to be doing) a contact form on a Wordpress site, when submitted would POST the values to my Rails app. What would my steps be to make that possible? Or any references that are already out there?
OR if it's possible to load a form from my Rails to an outside site using Ajax or something. Eh that's probably a long shot but don't know what would be more secure and slim on code.
Thanks so much!

If you do it with AJAX you may have to handle XSS issues. Maybe you need to write an easy API for your application that could be consumed from that other application. That's not difficult from Rails and you can get help from some good controller abstractions like inherited_resources.
At some point that external application will send a form to itself using AJAX and will handle it and send it to your rails application using JSON or XML... or whatever format you want.

Yes, you can do it. Be aware that you'll have issues with the form authenticity token, so it might be easier to turn the token off.

Related

What would be the best way to use AngularJS with Ruby on Rails?

I'm about to start a new project and I am unsure if using AngularJS for my front end would be a good idea not. I've read about people saying this isn't the smartest way of doing a project. And even if I did, Is there a way to get AngularJS to interact with the controllers? This question may be redundant but I am actually curious of how to effectively do this without it being a waste of time.
I've never completely done it, but I believe the way to go is to build a Rails api and then have a separate Angular project use said api. The api could also be used to build a mobile app. I think the Angular project would still need to be served from a Node.js server in production, but I don't think that would be a big deal.
This is what I used to learn how to build a Rails api: http://apionrails.icalialabs.com/book/chapter_one
You can do it within an existing project and share the models from it.
There are several different approaches to accomplish that. I tried about 5 different guides out there, the best I found (and I finally sticked to) was https://thinkster.io/angular-rails - This guide should help you build a basic CRUD app with angular connected to rails.
You use Rails as an JSON RESTful API which responds to Ajax-Requests (Get, Post, Put, Delete). Angular will handle the frontend stuff - sending those Ajax requests to the routes/methods defined in your rails controllers. So yes, of course your AngularJS app can interact with your rails controllers.
This also helped me to understand the setup in the beginning: Instead of the Rails View, you will be using AngularJS as your view:
I really love using angular with rails, because setting up the JSON responses (especially with Active Model Serializer Gem) is very easy and quickly done. i deffinitely can recommend it, and I have not encountered any unsolvable problems - so far.
Just go trough this guide I linked and you will see if this setup fits your needs.
The short answer is that your Rails application will have to present some kind of a public API for your AngularJS application to consume. Angular (and it's brethren, like React and Ember) runs client-side, on the browser, and it needs "something" to make AJAX calls against. That "something", i.e. your backend, can be Firebase, Parse, AWS Lambdas, Rails API, etc. Since you already have a Rails application, it probably makes the most sense to add some RESTful API endpoints that use the existing models (and possibly controllers) to consume/produce JSON payloads from/for the client.

Am I handling the architecture of my Rails site correct?

this is a rather subjective question. I am looking for expert opinion because this is the first time I'm architecting an enterprise rails application.
I decided to make my site completely AJAX based and I'm not using Rails AJAX helpers at all. Reason being: I'm new to web development and I like to know what's happening behind the code I'm writing.
Also, this is a fairly large dashboard based analytics application and I'm absolutely not using any erb tags. All data comes and goes using AJAX.
So, whenever I need any data, I write a rails route like this
match "people/all" => "people#all"
respond_to do |format|
format.json { all json is rendered here }
end
Same goes for POST calls.
Am I doing it right?
The next thing I'm going to do is to add CSRF token security ( if it doesn't match, controller will send no AJAX back )
I'm also driving an API for mobile apps off this project but the API is protected with keys.
I know maybe something like ember or a micro framework could have been a better choice but I chose rails because my application is going to have loads of features so I stuck with rails instead of diving into another framework.
So,
Is it in some way bad to make rails views without erb tags and do everything with AJAX?
Is my app going to be vulnerable in any way?
thanks.
You shouldn't be doing any of this yourself, Rails does this for you, including handling CSRF tokens. Your application controller should already be doing this.
Use resources :people in your routes. The route to "get all people" should simply be /people, not /people/all.
Examine a scaffold-generated controller to figure out how your routes should map to the seven default RESTful actions.

Sending forms to the rails application from outside HTML websites

I need to submit forms from a couple of remote sites to the central rails application that processes and stores data. You can think about it as of widget form (something similar to what Wufoo service provides).
These outside sites are going to be pure HTML (what means no server-side scripting - only JS/jQuery at browser side). I am aware that straight way to get it would be to put the form inside of an iframe element but I'd be glad to avoid this.
What would be a good and safe pattern to build such interaction?
I wrote simply HTML form sending data to create action in proper controller and submit form with AJAX/jQuery. It almost works, however I got
WARNING: Can't verify CSRF token authenticity
warning so, I'm sure, this approach would not be useful in production.
May someone who is experienced provide me some advice? Thank You.

sample Rails Application that includes email support page with captcha

What's the quickest / easiest starting point for a simple Rails application that has a main page, and an email "contact us" page, with captcha support? Is there a popular base Rails app that I could download that would already have this functionality as a starting point?
(e.g. for just a basic informational type web site, but with the abily for the user to send support requests back to support, but via a web page with captcha)
thanks
IMHO you shouldn't use Rails, nor any other Framework for a task like that. For a simple contact form you could put a standalone php page plus some static html pages on your server and you're done.
If you doesn't know Rails yet (or any other web framework written in any language) it would be a pain to setup a such structure only to display a contact form. Is like to take a gun to kill a fly.
BTW to come to your question, I don't know any project which do what you're asking for, maybe you want to try to do that by yourself, it's pretty simple, what you need is ActionMailer and a captcha plugin
Just my two cents.

Is there any way for a malicious user to view the controller/model code in my Rails app while it is running?

This is probably a stupid question but I'll go ahead and humble myself.
The Ruby code in my controllers and models are interpreted so that a HTML result is sent to the browser. Ok, I get that part.
But is there any way for a mailicious user to somehow take a peek at the Ruby code in the controllers and models by bypassing the process that converts or interprets that code before it is sent to the browser?
The reason I'm concerned is I am planning on doing some order processing in my app and if a malicious user was able to do that, they might be able to figure out how to do all kinds of unpleasant things.
Side tip: make sure you use html_escape or h to escape user data and prevent someone from injecting code into your site. For example, use
<%= h(person.name) %> so that someone can't put javascript in the name field and have it run when people view that page.
Nope. Try and navigate to the file yourself in the browser, you won't be able to see it. Your biggest worry should be someone trying to fake out GETs and POSTs because they know how REST works.
Assuming you have things set up correctly, then the web server in front of Rails is pointed to the /public directory. So anything in that directory may be open to direct attack. However, the web server intercepts the HTTP call based on certain criteria and redirects it to Rails for processing.
The architecture of Rails makes it impossible for model and controller code to be exposed to the public. There is a possibility that view code is viewable, but ONLY if you seriously mess up the code (I think). I have never managed to expose code to the client by accident, and I have never deliberately attempted to do so.

Resources