Skip to content
Permalink
Browse files

Be secure by default by avoiding credentials fallback for admin

If credentials aren't provided through env variables at app boot
then an exception will be raised specifying the missing key.
  • Loading branch information...
Bounga committed Feb 7, 2018
1 parent 635b403 commit b2cc14e44224b4cff18837c472aff975cdbe47d6
Showing with 8 additions and 2 deletions.
  1. +2 −0 .env.development.sample
  2. +2 −0 .env.test.sample
  3. +4 −2 apps/admin/application.rb
@@ -2,3 +2,5 @@
DATABASE_URL="postgresql://localhost/contributors_development"
SERVE_STATIC_ASSETS="true"
WEB_SESSIONS_SECRET="51c28b4ad5470b0ad6154e5a3a31047265901bc33e2fbf7775afa311cec79252"
ADMIN_USERNAME="hanami"
ADMIN_PASSWORD="hanami"
@@ -3,3 +3,5 @@ DATABASE_URL="postgresql://localhost/contributors_test"
SERVE_STATIC_ASSETS="true"
WEB_SESSIONS_SECRET="79bf4569447bc93d5cf6923dfe68561261ff289ffe2afdd2e24f062be5bda573"
API_SESSIONS_SECRET="362a916eb6c3945b761bfd4dc02e24c6f7ba64891afbfdb538ae8a721b7aac41"
ADMIN_USERNAME="hanami"
ADMIN_PASSWORD="hanami"
@@ -258,13 +258,15 @@ class Application < Hanami::Application
# This is useful for sharing common functionality
#
# See: http://www.rubydoc.info/gems/hanami-controller#Configuration
ADMIN_USERNAME = ENV.fetch('ADMIN_USERNAME')
ADMIN_PASSWORD = ENV.fetch('ADMIN_PASSWORD')

controller.prepare do
# include MyAuthentication # included in all the actions
# before :authenticate! # run an authentication before callback

use Rack::Auth::Basic, 'Admin' do |username, password|
username == ENV.fetch('ADMIN_USERNAME', 'hanami') &&
password == ENV.fetch('ADMIN_PASSWORD', 'hanami')
username == ADMIN_USERNAME && password == ADMIN_PASSWORD
end
end

0 comments on commit b2cc14e

Please sign in to comment.
You can’t perform that action at this time.