Is there a way to set up simple http authentication for a Ruby on Rails app on heroku?

Question

I want to set up a private staging server on heroku using simple http authentication. Is that possible?

Answer 1

A cleaner way is to just drop in a couple lines of Rack middleware into your staging environment config, leaving controller logic alone:

# config/environments/staging.rb
MyApp::Application.configure do
  config.middleware.insert_after(::Rack::Lock, "::Rack::Auth::Basic", "Staging") do |u, p|
    [u, p] == ['username', 'password']
  end

  #... other config
end

This tip courtesy of Ole Morten Amundsen. More info plus Heroku password specification:

http://olemortenamundsen.wordpress.com/2011/04/05/ruby-secure-staging-environment-of-your-public-app-from-users-and-bots/

Answer 2

Another way to do it using the application_controller.rb:

  # app/controllers/application_controller.rb
  before_filter :http_basic_auth

  def http_basic_auth
    if ENV['HTTP_AUTH'] =~ %r{(.+)\:(.+)}
      unless authenticate_with_http_basic { |user, password|  user == $1 && password == $2 }
        request_http_basic_authentication
      end
    end
  end

and then you need to export your values: for development:

 export HTTP_AUTH=test:test

For heroku:

 heroku config:set HTTP_AUTH=test:test

Now when the window prompt you should enter for user/password => test/test.

That's it hope you find it useful.

Answer 3

On Rails4, I got "No such middleware to insert after: Rack::Lock" error. Replace Adam's code to the below:

# config/environments/staging.rb
MyApp::Application.configure do
  config.middleware.use '::Rack::Auth::Basic' do |u, p|
    [u, p] == ['username', 'password']
  end
  # ...
end

See: http://www.intridea.com/blog/2013/6/4/tips-and-tricks-for-deploying-rails-4-apps-on-heroku

Answer 4

Absolutely. The simplest solution is to just put something in your application controller that uses Rails's built in basic auth support (see here: http://railscasts.com/episodes/82-http-basic-authentication) and just wrap it in a conditional for your Rails.env. Note that on Heroku, by default the RAILS_ENV is set to production, but you can change this for your non-production apps using heroku config (http://docs.heroku.com/config-vars).

You could also consider installing some roadblock-style Rack middleware, but I'd just go with the above.

Answer 5

There is a nice heroku add-on that uses Mozilla Persona for authentication. It's free for low-volume sites (under 10,000 authentications per month):

https://addons.heroku.com/wwwhisper

Very easy to install and configure.

Answer 6

Updated answer for Rails 5+. In your config/application.rb or selected environment config:

config.middleware.use(Rack::Auth::Basic) do |u, p|
  [u, p] == [ENV['USER'], ENV['PASSWORD'] || SecureRandom.hex]
end

It's been pointed out in Ole's blog post to use ENV vars. I'd add that defaulting to a random password is a good idea in case the env var is not set.

To use it only on certain paths you can create your own middleware (refer to this answer):

class AdminAuth < Rack::Auth::Basic
  def call(env)
    req = Rack::Request.new(env)

    return @app.call(env) unless admin_path?(req)

    super
  end

  def admin_path?(req)
    req.path =~ /^\/admin\/*/
  end
end