Setup active storage defaults #1
Conversation
There was a problem hiding this comment.
Im not to familiar with the active storage config so i might lean on @sfnelson for that side, but i do have a comment on adding the gem from the template
hasarindaKI
force-pushed
the
setup/active-storage
branch
2 times, most recently
from
eba61f3 to
f4a3921
Compare
hasarindaKI
force-pushed
the
setup/active-storage
branch
from
f4a3921 to
d6fcf05
Compare
| test: "https://example.com", | ||
| }.freeze | ||
|
|
||
| Rails.application.routes.default_url_options = { host: hosts[Rails.env.to_sym] } |
There was a problem hiding this comment.
This isn't a good long-term strategy. It will require manual changes for non-Katalyst projects.
I think that the staging and production environments should be getting this from their environment (ecs env). Please add a related PR to make that happen if it's not there already.
I think that the default_url_options setting should be in the environment files rather than here.
| run("rails active_storage:install") | ||
|
|
||
| # setup active_storage services | ||
| copy_file("config/storage.yml") |
|
|
||
| # setup active_storage services | ||
| copy_file("config/storage.yml") | ||
| gsub_file("config/storage.yml", "[DEFAULT_BUCKET_ID]", "katalyst-#{@app_name}-staging-assets") |
There was a problem hiding this comment.
Needs a strategy for connecting this app to the terraform configured bucket name. Could be manual.
| @@ -4,4 +4,9 @@ | |||
| resource :homepage, only: %i[show] | |||
|
|
|||
| root "homepages#show" | |||
|
|
|||
| unless Rails.env.development? || Rails.env.test? | |||
| unless Rails.env.development? || Rails.env.test? | ||
| put "/rails/active_storage/disk/:encoded_token", to: redirect("/404") | ||
| end | ||
| post "/rails/active_storage/direct_uploads", to: redirect("/404") |
There was a problem hiding this comment.
This should result in a routing error, not a redirect. That way the default rules apply.
Ideally we want to undefined the routes that ActiveStorage engine adds, but I don't know if that's possible. This is a hack approach that needs more thought imo.
Also needs documentation, as this is appropriate for Fringe and Koi but not generalisable to all situations (e.g. what if you have authenticated users and you want to allow them to upload files?
Finally, is this a realistic concern? Have the Rails team discussed why it's acceptable to allow arbitrary users to write to this endpoint? Is there any sort of nonce or CSFR protection that we're unaware of protecting these endpoints for DOS?
There was a problem hiding this comment.
There is an open rails issue about this:
rails/rails#34961
A blog post with suggested workaround:
https://givenis.me/securing-rails-active-storage-direct-uploads
This blog post uses authenticate_user, but we could instead cause a 404 by raising a routing error in a before action?
There was a problem hiding this comment.
Another related open rails issue:
rails/rails#52505
There was a problem hiding this comment.
- There is no way to remove a specific route; but you can remove all active storage routes by setting the
draw_routesconfig option tofalseor you could overwrite the default active storage route in your routes file - There is CSRF protection in DirectUploads but it is available on all the pages as a meta content
active_storagemigrationsactive_storagein environmentsaws-sdk-s3gem for AWS S3image_processingfor variant supporthosttodefault_url_options