Class: Rails::Auth::ErrorPage::DebugMiddleware

Inherits:

Object

• Object
• Rails::Auth::ErrorPage::DebugMiddleware

Defined in:

lib/rails/auth/error_page/debug_middleware.rb

Overview

Render a descriptive access denied page with debugging information about why the given request was not authorized. Useful for debugging, but leaks information about your ACL to a potential attacker. Make sure you’re ok with that information being public.

Constant Summary

RESPONSE_HEADERS =

Configure CSP to disable JavaScript, but allow inline CSS This is just in case someone pulls off reflective XSS, but hopefully all values are properly escaped on the page so that won’t happen.

{
  "Content-Type" => "text/html",
  "Content-Security-Policy" =>
  "default-src 'self'; " \
  "script-src 'none'; " \
  "style-src 'unsafe-inline'"
}.freeze

Instance Method Summary

• #call(env) ⇒ Object
• #error_page(env) ⇒ Object
• #format_attributes(value) ⇒ Object
• #format_path(path) ⇒ Object
• #h(text) ⇒ Object
• #initialize(app, acl: nil) ⇒ DebugMiddleware constructor

  A new instance of DebugMiddleware.

Constructor Details

#initialize(app, acl: nil) ⇒ DebugMiddleware

Returns a new instance of DebugMiddleware.

Raises:

• (ArgumentError)

# File 'lib/rails/auth/error_page/debug_middleware.rb', line 24

def initialize(app, acl: nil)
  raise ArgumentError, "ACL must be a Rails::Auth::ACL" unless acl.is_a?(Rails::Auth::ACL)

  @app = app
  @acl = acl
  @erb = ERB.new(File.read(File.expand_path("debug_page.html.erb", __dir__))).freeze
end

Instance Method Details

#call(env) ⇒ Object

# File 'lib/rails/auth/error_page/debug_middleware.rb', line 32

def call(env)
  @app.call(env)
rescue Rails::Auth::NotAuthorizedError
  [403, RESPONSE_HEADERS.dup, [error_page(env)]]
end

#error_page(env) ⇒ Object

# File 'lib/rails/auth/error_page/debug_middleware.rb', line 38

def error_page(env)
  credentials = Rails::Auth.credentials(env)
  resources   = @acl.matching_resources(env)

  @erb.result(binding)
end

#format_attributes(value) ⇒ Object

# File 'lib/rails/auth/error_page/debug_middleware.rb', line 49

def format_attributes(value)
  value.respond_to?(:attributes) ? value.attributes.inspect : value.inspect
end

#format_path(path) ⇒ Object

# File 'lib/rails/auth/error_page/debug_middleware.rb', line 53

def format_path(path)
  path.source.sub(/\A\\A/, "").sub(/\\z\z/, "")
end

#h(text) ⇒ Object

# File 'lib/rails/auth/error_page/debug_middleware.rb', line 45

def h(text)
  CGI.escapeHTML(text || "")
end