Rake middleware (for Rails) to simply obfuscate application access

access_obfuscator.rb

# The MIT License (MIT)
#
# Copyright (c) 2017 https://gist.github.com/rbf
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# AccessObfuscator
#
# SOURCE: https://gist.github.com/rbf/b5f962978b3cff165cbdcdb37f19ad3f
#
# When an application is deployed on a PaaS like Heroku it is visible to all
# those knowing the url. In order to prevent the discovery of the app before the
# intended release, we obfuscate the access with a secret token. In order to
# access the app, this secret token (which is configured in an ENV variable with
# the name OBFUSCATED_ACCESS_TOKEN) must be provided at least on the first app
# request as a query parameter with the name 'oat'. The token must be provided
# only once each time the app is restarted, since the ip of the requestor gets
# whitelisted in memory (not into the DB). If the ENV variable
# OBFUSCATED_ACCESS_TOKEN is not present or it's a blank string, the access to
# the app will not be blocked.
#
# To install the middleware, add the following lines at the end of the
# configuration file in /config/environments/production.rb:
#
#   if (oat = ENV['OBFUSCATED_ACCESS_TOKEN'])
#     config.middleware.use AccessObfuscator, oat
#   end
#
# SOURCE: http://ieftimov.com/writing-rails-middleware

class AccessObfuscator
  OBFUSCATED_ACCESS_QUERY_PARAM = 'oat'.freeze
  UNAUTHORIZED_RESPONSE = [
    401,
    { 'Content-Type' => 'text/html' },
    ['Unauthorized']
  ].freeze

  def initialize(app, obfuscated_access_token)
    @app                      = app
    @auto_whitelisted_ips     = Set.new
    @obfuscated_access_token  = obfuscated_access_token
  end

  def call(env)
    if @obfuscated_access_token.present?
      check_obfuscated_access(env)
    else
      allow_access(env)
    end
  end

private

  def check_obfuscated_access(env)
    request = Rack::Request.new(env)
    if allow_access?(request)
      whitelist_ip(request)
      request.delete_param(OBFUSCATED_ACCESS_QUERY_PARAM)
      allow_access(env)
    else
      block_access(env)
    end
  end

  def allow_access?(request)
    whitelisted_ip?(request) || valid_token?(request)
  end

  def whitelisted_ip?(request)
    @auto_whitelisted_ips.include?(request.ip)
  end

  def whitelist_ip(request)
    @auto_whitelisted_ips << request.ip
  end

  def valid_token?(request)
    request[OBFUSCATED_ACCESS_QUERY_PARAM] == @obfuscated_access_token
  end

  def allow_access(env)
    @app.call(env)
  end

  def block_access(_env)
    # Stop the middleware chain and return 'Unauthorized'
    UNAUTHORIZED_RESPONSE
  end
end