This is a bare-bones Rails 5.1 PostgreSQL application with authentication handled by Auth0 and authorization by Pundit. I generally clone this repo when starting a new web application. The staging app can be found hosted here on Heroku.
This application uses Redis for the session store. My preferred redis hosting is Redis Cloud, which is available as a Heroku addon.
Where possible I try to follow best security practices and ruby style guides throughout my code.
This app includes a GitLab CI config script that runs
Rubocop, Bundler Audit,
Brakeman and RSpec before automatically deploying to
Heroku staging and production. Pushes to GitLab master branch will automatically deploy
to Heroku staging, while merge requests into a production branch will deploy to Heroku production.
Install Ruby and the Bundler gem if necessary.
If using the RVM Ruby Version Manager...
rvm install ruby-2.4.1
gem install bundleror, if you prefer rbenv...
brew install rbenv
rbenv install 2.4.1
gem install bundlerBe sure to set the relevant environmental variables before running the following setup. Also set the environmental variables on deployment environments, such as Heroku before uploading the code to the server.
For Heroku this means installing a suitable
Redis add-on and setting the
REDIS_URL environmental variable before first deploying the code.
./bin/bundle install --path=vendor/bundle
# Configure DB name environmental variables first.
./bin/rake db:setupThis app will render a favicon, but only if it exists at app/assets/images/favicons/favicon.ico. There is a convenient tool at https://realfavicongenerator.net/ that generates favicons suitable for all browsers and other platforms such as iOS, Android and Windows. Simply upload your sample image and then extract the generated favicons.zip into app/assets/images/.
Example values of the environmental variables used in this app can be found in .env.example
For local testing and development copy and customize .env.example into the following files:
.env.development.env.test.env.staging.env.production
An identifier name for this app. This is to be used internally by the app in situations such as session key identifier and S3 paths. This should only contain URL safe characters and no spaces.
Your secret key is used for verifying the integrity of signed cookies. If you change this key, all old signed cookies will become invalid!
Use the following command to generate a new secret key:
./bin/rails secret The encryption key config/secrets.yml.enc
A boolean switch to determine if SSL connections should be forced. When active this
will redirect http:// requests to https://.
Acceptable values are true and false. If this environmental variable is not
defined, false is assumed.
The database connection URL if deployed on platforms such as Heroku.
You can optionally choose to specify the following database config values as environmental variables if you prefer not to put them in config/database.yml.
-
DATABASE_NAME -
DATABASE_USERNAME -
DATABASE_PASSWORD -
DATABASE_HOST
Note: DATABASE_HOST is generally always its default value of localhost,
but must be set to postgres for GitLab CI.
The callback URL to be called after a user has logged in or signed up. For development use
'http://localhost:3000/auth/auth0/callback'
Auth0 client application domain. You can find this in the clients
section of your Auth0 account. This will be a string similar to my-app-name.auth0.com.
The ID of your Auth0 client.
The Auth0 client application secret. This is essentially the password to this Auth0 client and must be securely stored.
The ID for your Auth0 Management API client. It is recommended that you create an Auth0 client specifically for the management API, rather than reusing an existing client.
The client secret for your Auth0 management API.
Note: It is good practice to Rotate your client secret frequently.
Auth0 Lock widget uses a state variable in the session to prevent CSRF attacks.
Setting this value to true in config/initializers/auth0.rb
will ignore the state and by-pass this security feature. Setting this to true in the test environment
can simplify automated integration testing.
Alternatively, you can assign the state session variable with the following POST command before integration tests.
post auth_set_state_path, params: { state: SecureRandom.hex(24) }See Auth0Controller for implementation.
./bin/rspecSource code consistency is checked by Rubocop. RuboCop is a Ruby code style checker based on the community-driven Ruby Style Guide. The default Rubocop styles are mostly adhered to, with some minor customizations defined in .rubocop.yml.
A Rubocop check is executed by GitLab CI before each build.
You can check your code locally:
./bin/rubocopRubocop can try to automatically fix your code with the following command.
./bin/rubocop -aThis will try to fix issues in new files.
Run Brakeman before each deploy with the following command:
./bin/brakemanBrakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
The integrity of all gem dependencies can be validated using bundler-audit using the following command.
./bin/bundle-audit check --updateThis will flag any know vulnerabilities. Use --ignore <code> to ignore specific advisories.
To re-brand this application for your own purposes, it is recommended to change the module name from RailsAuth0
to something more relevant in config/application.rb.
You will also need to change the database connection parameters in config/database.yml or set them using environmental variables.
Set the ActionCable channel prefixes in config/cable.yml to match your application name.