Rails4, AngularJS, CSRF and Devise

I’ve been working further on my application, and run into a few challenges and issues with CSRF, so I’m elaborating a bit on my earlier post.  At some point my tutorials will be updated to deal with this, but for now this is a place holder that describes what CSRF protection does, where the issues lie, and what resolutions I’ve found to the overall problem.

Firstly, it seems that there are two general developer classes with Rails – those who are developing a Rails web application and therefore use Rails to create the pages, and those who are building an API using Rails, and seem to turn off CSRF protection and use an API key to authenticate (in a sense I see an API key as a long-lived username and password, so I’m not a big fan for applications that require strong security).

I’m living in a middle space – the application front-end is all AngularJS, and it’s calling Rails asynchronously using JSON.  But I’m still aiming to use Devise as my authentication engine, and I want to use CSRF to protect against malicious scripts that manipulate the API without the user knowing it.  The default configurations don’t really appear to deal with this situation well.

In discussing the solution, I’ll start with a simplified discussion of what CSRF protection should and shouldn’t do, and then what pieces are needed to integrate (reasonably) cleanly.

Continue reading

Configuring puma init.d scripts and pumactl on debian with rvm

I’ve been building a trial version of our production environment, hosted on AWS.  I’m using debian as it’s what I’m most familiar with, and I’ve chosen to use puma to serve the rails end of the site.

Puma comes with an init.d script, and a control process called pumactl.  These were non-trivial to get working, particularly when also using rvm, so I thought I’d document what I did in case someone else wants to do the same.  The script uses great terminology based around the puma theme, so we have a jungle of pumas which may or may not come out to play.  In essence you can have multiple puma instances on your server, each serving a different application.

Continue reading