Password protecting a rails staging environment

Asked 26/9, 2009 at 21:46 Answered 6/2, 2014 at 13:28

Solved ruby-on-rails authentication staging

I'm trying to work out what the best way to secure my staging environment would be. Currently I'm running both staging and production on the same server.

The two options I can think of would be to:

Use rails digest authentication

I could put something like this in the application_controller.rb

# Password protection for staging environment
if RAILS_ENV == 'staging'
  before_filter :authenticate_for_staging
end

def authenticate_for_staging
  success = authenticate_or_request_with_http_digest("Staging") do |username|
    if username == "staging"
      "staging_password"
    end
  end
  unless success
    request_http_digest_authentication("Admin", "Authentication failed")
  end
end

This was ripped from Ryan Daigle's blog. I'm running on the latest Rails 2.3 so I should be free from the security problem they had with this.

Use web server authentication

I could also achieve this using .htaccess or apache permissions, however it makes my server provisioning slightly more complex (I'm using Chef, and would require different apache configs for staging/production).

For now I have the first one implemented and working, do you see ay problems with it? Have I missed something obvious? Thanks in advance!

Bonneau answered 26/9, 2009 at 21:46 Comment(0)

bumping this to help others, like myself as I read this before settling on an similar, but cleaner solution.

# config/environments/staging.rb

MyApp::Application.configure do
  config.middleware.insert_after(::Rack::Lock, "::Rack::Auth::Basic", "Staging") do |u, p|
    [u, p] == ['username', 'password']
  end

 #... other config
end

I wrote a short blog post about it.

Dilemma answered 6/4, 2011 at 10:59 Comment(1)

There's also this option, which was added recently: github.com/rails/rails/commit/…, I like your solution though, I think it's the way to go. – Bonneau 6/4, 2011 at 15:2

If you are deploying with multi-staging environments and so you have production environment and staging environment, you only need to add these lines to config/environments/staging.rb

MyApp::Application.configure do
  # RESTRICTING ACCESS TO THE STAGE ENVIRONMENT
  config.middleware.insert_before(::Rack::Runtime, "::Rack::Auth::Basic", "Staging") do |u, p|
    u == 'tester' && p == 'secret'
  end

  ...

end

By doing so, you don't need to configure Apache.

I am using Ruby 2 with Rails 4 and it works like a charm!

Italianize answered 6/2, 2014 at 13:28 Comment(0)

I would go with the http basic authentication, I see no inherent problems with it.

Vellavelleity answered 26/9, 2009 at 22:4 Comment(1)

This is what I ended up doing. It has worked a treat for the last 3 months. – Bonneau 21/1, 2010 at 23:37

Recommended topics

Hot tags