Methods to Safe Your Rails API With out Being a Safety Professional


Ruby on Rails is such a candy software to make use of. As a full-stack developer, I discover it my framework of selection each time I have to construct a prototype/minimum-viable product. Its ease of use and fast setup enable me to maneuver ahead rapidly into constructing the front-end of my tasks.

This comfort may cause a developer to miss the safety facets of their code. I do know I am responsible of it numerous instances. Even when one is accustomed to Take a look at-Pushed-Growth, it does not assure that the code they write is safe.

Personally, I by no means actually paid a lot consideration to safety each time I constructed apps. The reason being that I concentrate on constructing fast prototypes and minimally viable merchandise (MVPs). However that is not an excuse to put in writing sloppy code that may simply open up customers to assaults.

That is why, on the very least, as engineers, now we have to bear in mind and be capable of repair the most typical vulnerabilities that we might unintentionally put in our tasks.

Open-source databases corresponding to WhiteSource’s Vulnerability Lab offer you up to date data on most vulnerabilities.

You’ll be able to find out about every vulnerability in higher element together with its severity and what fixes can be found. Must you additionally uncover new vulnerabilities, you’ll be able to attain out to its maintainers for them to verify and add it to their database.

On this article I will run down the three commonest vulnerabilities one might encounter in a Ruby on Rails API solely app. Nonetheless, among the ideas introduced apply no matter which platform you are utilizing and you must examine what related tooling is accessible to your platform should you’re not on Rails.

I restrict the subject to JSON-API tasks since I personally would use Rails to solely construct APIs (and use React or every other front-end framework to construct the client-side).

Session Hijacking

In a Rails API app, a typical strategy to do authentication is by the era of a JSON-Net Token (JWT). Each time a `POST` request is made to the authentication endpoint (often `/periods`), the Rails app can generate the JWT from the present consumer’s ID and an expiration timestamp (often 24 hours).

An instance of the way to generate this JWT is utilizing Ruby’s `jwt` gem`:

def self.encode(payload, exp = 24.hours.from_now)
payload[:exp] = exp.to_i
JWT.encode(payload, SECRET_KEY)

The JWT can be despatched as a part of the response to the front-end app.

For authenticated requests (corresponding to getting an inventory of all the present customers’ pals in a social networking utility), the Rails app ought to examine the request’s headers for the presence of this JWT.

If the request does not comprise any JWT or an expired JWT, then the API will merely reply with a 401 (Unauthorized) error.

Throughout authentication:

If the request doesn't contain any JWT or an expired JWT, then the API will simply respond with a 401 (Unauthorized) error.

Subsequent requests that require a requester to be authenticated:

Subsequent requests that require a requester to be authenticated:

The problem right here is that assuming the JWT hasn’t expired but, a hacker could possibly steal the JWT and entry the API as an authenticated consumer. API authentication tokens have been exploited like this in a number of real-world assaults.

On this case, the one measure in opposition to that is making the JWT expire sooner. So as an alternative of 24 hours, the JWT might be made to run out in 1 hour.

The excellent news is that the one method for a hacker to steal this token is both by the consumer unintentionally (or foolishly) sending this token by way of the online or if the hacker bodily goes to the machine that this token is in (on the client-side mostly an auth token is saved on the localstorage).

Nonetheless, we wish to cowl as a lot floor as doable regarding the safety of any utility we construct.

So, another however extra cumbersome strategy to retailer our auth token is for the Rails API to save lots of every JWT generated right into a database. This is how that logic goes:

A further database desk (and mannequin) known as `tokens` can be generated
$ rails g mannequin token worth:stringEvery time a profitable login has been made, the Rails API will generate a brand new JWT and reserve it as a document within the `tokens` desk
def self.encode(payload, exp = 24.hours.from_now)
payload[:exp] = exp.to_i
token = JWT.encode(payload, SECRET_KEY)
Token.create(worth: token)
endThis identical JWT can be despatched to the requester as a part of the response.For requests which might be solely allowed for authenticated customers, the Rails API will examine for the existence of a JWT within the headers. Mechanically the response can be a 401 (Unauthorized) if the headers do not comprise any.If the JWT is current within the headers, the very first thing that the Rails API will do is examine for its existence within the `tokens` database desk. If it can’t be discovered then a 401 can be despatched as response.If the JWT exists within the `tokens` desk, then the Rails API will attempt to decode this (utilizing a customized methodology). If it is invalid (i.e, expired) then once more a 401 response can be despatched.If the JWT is legitimate, then successful response can be despatched together with the info requested (or acceptable actions can be taken within the API).

We will write a technique within the `application_controller.rb` file to examine for the existence of the token within the headers, then within the database, and subsequently for its validity.

Utilizing Ruby’s `pundit` gem`:

def pundit_user
header = request.headers[‘Authorization’]
header = header.break up(‘ ‘).final if header
if Token.find_by(worth: header)
decoded = JsonWebToken.decode(header)
decoded = JsonWebToken.decode(nil)
rescue ActiveRecord::RecordNotFound
render json: message: ‘You aren’t licensed’ , standing: :unauthorized
rescue JWT::DecodeError
render json: message: ‘Unauthorized entry’ , standing: :unauthorized

Drawing this sequence in a flowchart:

Drawing Ruby's pundit gem sequence in a flowchart

The one disadvantage for this answer is that each single login of the consumer will add a brand new document into the `tokens` desk. For the lifetime of every consumer, this may increasingly imply hundreds to hundreds of thousands of data relying on the frequency of login.

A doable repair is to have an automatic database cleanup. However that is an article about safety vulnerabilities and fixes.

Nonetheless, the advantage of this method is that we are able to create a technique that enables us to log off all gadgets by destroying all data within the `tokens` desk:

def logout_all

As a closing be aware, there’s nonetheless in fact a really actual risk that hackers can get contained in the database and steal the tokens. The easiest way to make sure that the JWTs are secured in a method that makes them ineffective to hackers is through the use of digital signatures.

SQL Injection

This explicit safety vulnerability does not solely have an effect on Rails apps. Each net (or cellular) utility that does SQL queries over the web are vulnerable to this.

In easy phrases, an SQL injection assault occurs each time a malicious consumer manipulates request parameters with a purpose to entry database content material.

For instance, as an example now we have a database desk known as `customers` (and a corresponding `Consumer` mannequin). Let’s additionally say that the way in which we coded a question to get a selected consumer’s information is as follows:

Consumer.the place(“first_name = ‘%#params[:first_name]%'”)

So the next question string within the URL will return a set consumer with the identify “Michael”:


Nonetheless, a malicious consumer will merely “inject” any string worth on this question string with a purpose to lengthen the SQL question assertion within the first line. Doing so might enable this malicious consumer to entry all customers and be capable of do what they need with that information.

Because of its prevalence, one would suppose that the maintainers of Ruby on Rails would have an out-of-the-box safeguard for this. Sadly, it does not.

What’s nice although is that we are able to safe our Rails APIs in opposition to this vulnerability by way of easy tweaks in our ActiveRecord queries.

We will then revise our SQL question above to make it safer:

Consumer.the place(“first_name = ?”, params[:first_name])

Other than the plain syntactical distinction, how else is that this newly shaped SQL question any totally different from the aforementioned pure stringed one?

Within the pure string question, which is unsafe, each single bit is being handed into the database as-is.

So a hacker would possibly cross an prolonged SQL question string, as beforehand talked about, to get an inventory of all consumer information so they may both promote or delete (no matter they fancy).

Within the revised SQL question, the second argument is dynamic (since Rails will “escape” it) and will not go immediately into the database earlier than being sanitized by Rails. This incapacitates any malicious makes an attempt by a hacker to entry the database by way of question strings.

Authorization and Entry Vulnerabilities

Authenticating a consumer is solely checking whether or not the consumer that’s making a request is logged in. Authorization is offering one other layer of knowledge entry safety.

Authorizing a consumer means offering solely a sure degree of entry to options relying on what class of consumer is making such requests.

As an example, message exchanges between two customers ought to be made personal between them. Subsequently, an authorization system ought to be in place that may examine whether or not an app consumer attempting to entry dialog information is a participant in that dialog.

I listed this vulnerability final as a result of it may be triggered extra by architectural selections than code. There are specific greatest practices that we are able to make use of to make sure our API has a high-quality authorization system. However in all probability the best architectural measure is offering the least entry by default.

For instance, the one default entry all customers ought to have is their very own information.

Because the consumer is given extra privileges (i.e after they change into directors) that is the time they’re additionally supplied entry to extra data or options.

Utilizing `pundit` gem

Luckily, as Rails builders we are able to use `pundit`. Pundit permits us to simply create “insurance policies” that prohibit the sorts of requests customers could make relying on sure mannequin attributes.

For extra superior insurance policies the developer can merely create new courses. The ensuing insurance policies are additionally very simply examined.


There are a thousand kinds of vulnerabilities any undertaking can have. The entire three I listed below are simply detected. However there are a whole lot extra which might be as a result of kinds of dependencies we set up into our tasks.

Fortunately for us if we’re pushing our code to Github we are going to get notices ought to any vulnerability be detected in any of our code’s dependencies.

e're pushing our code to Github we will get notices should any vulnerability be detected in any of our code's dependencies.

What’s much more fascinating is that Github already offers us with the answer:

What's even more fascinating is that Github already provides us with the followng solution:

The primary message I want to impart on this article is for us builders to begin turning into extra security-oriented, from staying on high of Github safety updates to programming language vulnerabilities.

The sphere of safety could also be a wholly new self-discipline altogether for many of us however we do not have to be consultants to have the ability to construct safe apps.