Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite rules #95

Open
elliot-nelson opened this issue Feb 3, 2016 · 4 comments
Open

Rewrite rules #95

elliot-nelson opened this issue Feb 3, 2016 · 4 comments

Comments

@elliot-nelson
Copy link

It might be nice to have some facility to provide rewrite rules in a configuration block. For example, if you have some Rack rewrite (or nginx/unicorn-level rewrites), it's difficult to get a signature match.

As an example, if the incoming request_uri is /api/v1/posts, it'd be nice to be able to say:

ApiAuth.allow_uri('api/v1/posts', ['api/posts', 'posts'])

(The desired outcome is that if I POST to /posts, and nginx rewrites my request to /api/v1/posts, ApiAuth will check each possible signature and return true if any of them match.)

(Another approach might be an option allowing you to specify a certain header -- Http-X-Original-URI, for example, or whatever header your web server might generate -- instead of using request_uri when building and verifying the signature.)
@kjg
Copy link
Collaborator

kjg commented Feb 4, 2016

I think it would make sense to have a header that specifies the path
originally used to sign the request. On the server side I wonder if we
should provide for some sort or warning or ability to pass allowed paths
into the authentic? method or some other way to make this an opt in only
feature

On February 3, 2016 at 8:19:59 AM, elliot nelson ([email protected])
wrote:

It might be nice to have some facility to provide rewrite rules in a
configuration block. For example, if you have some Rack rewrite (or
nginx/unicorn-level rewrites), it's difficult to get a signature match.

As an example, if the incoming request_uri is /api/v1/posts, it'd be nice
to be able to say:

ApiAuth.allow_uri('api/v1/posts', ['api/posts', 'posts'])

(The desired outcome is that if I POST to /posts, and nginx rewrites my
request to /api/v1/posts, ApiAuth will check each possible signature and
return true if any of them match.)

(Another approach might be an option allowing you to specify a certain
header -- Http-X-Original-URI, for example, or whatever header your web
server might generate -- instead of using request_uri when building and
verifying the signature.)


Reply to this email directly or view it on GitHub
#95.

@iMacTia
Copy link
Contributor

iMacTia commented Nov 22, 2016

Just bumped into the exact same issue, happy to provide a PR if given the direction to fix this.
We have Nginx on top of a Rails application and this is rewriting incoming calls, making the signature check failing.

@PaulaCara
Copy link

+1

@iMacTia iMacTia mentioned this issue Nov 28, 2016
Merged
@iMacTia
Copy link
Contributor

iMacTia commented Nov 28, 2016

Worked on a fix for this, you can see it on #137

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kjg @elliot-nelson @iMacTia @PaulaCara