Limit client requests based on origin via Rack-CORS
I have a Rails 4 API that validates an access token during a client request. I have a gors rack and the following setup:
config / application.rb:
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
I have a model called ApiApp that stores an access token. There is a concern that opening an app to any origin poses a security risk. Is there a way to store the desired Origin, for example "test.com", in the ApiApp and be able to check using the rack-Kors installation that this is a match for every request?
app / controllers / api / v1 / api_controller.rb:
module Api
module V1
class ApiController < ApplicationController
respond_to :json
before_filter :restrict_access
private
def restrict_access
api_app = ApiApp.find_by_access_token(params[:access_token])
# need to check that the origin is whitelisted via rack-cors
head :unauthorized unless api_app
end
end
end
end
I am concerned that the rack-cors configurator is loaded once and cannot access the ApiApp data.
Request example:
https://hello.com/api/v1/products?access_token=7b9f3cddd3914a6f45fa692997fe6dc9
Thanks for any thoughts. I would like to draw your attention to examples showing proofing of origin using a pillar, alternative ways of checking (maybe a title), or any arguments that all are optional.
source to share
No one has answered this question yet
Check out similar questions: