Allow config.hosts proc to receive request object #40328
Closed
+25
−4
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Didn't get much feedback from the core mailing list, but what I did get was encouraging.
Summary
I wanted a way to skip the host authorization check - which I want to use in production as protection against host header poisoning - for a specific endpoint. With my application set up behind a load balancer on AWS, the host that the application sees on the health check is the IP address of the load balancer, which can change and therefore can't be hard-coded into my application. There is nothing sensitive at the health check endpoint, and I'd like to just skip the check there.
In a Rails 5 app, I just implemented the host filtering stuff in my own custom middleware. I guess I could keep doing that on Rails 6, but since Rails now has its own middleware for this, it seems like all of that functionality should be kept in one place if possible.
ActionDispatch::HostAuthorization accepts a list of allowed values via config.hosts. An item in this list can be anything that responds to ===, which includes a Proc. Passing the entire request object - in addition to the host value - to such a Proc allows for customization like skipping the host authorization check on a particular endpoint, e.g. a health check.
Usage
Or just
Questions and concerns
allowed.call
instead of trying to keep using===
for everything?