librelist archives

« back to archive

Nesta and basic authentication

Nesta and basic authentication

From:
Michael J. Rivard
Date:
2013-02-19 @ 05:49
Hello,

I need to password-protect a Nesta-based website that will be put on 
Heroku so that only its owner and I can see it (because it's not ready to 
go public yet). I copied `bundle show nesta`/lib/nesta/app.rb to my Nesta 
website's root directory and inserted three lines into my copy of app.rb 
to look like this:

    Overrides.load_theme_app

    use Rack::Auth::Basic, "My Realm" do |username, password|
      [username, password] == ['myusername', 'mypassword']
    end
    
    get '/robots.txt' do

("Overrides.load_theme_app" and "get '/robots.txt' do" already existed in 
app.rb; the lines between them are what I inserted.)

The problem is that when I point my browser to the website, it displays 
the web page without prompting me for a username and password. It's as if 
my copy of app.rb is being ignored.

I'm running the site in Apache/Passenger, and I tried restarting Apache. I
also tried using shotgun (so that I could see any possible error/warning 
messages), but got the same result (and there were no warning/error 
messages). I also tried putting app.rb in ${website_root}/lib/nesta/, but 
got the same result.

BTW, I'm using the version of Nesta that was in the GitHub master branch 
on 2/17/2013.

I'm a complete Ruby newbie, so I'm sure it's because I've omitted 
something that's very fundamental. In any case, any advice would be 
sincerely appreciated.

Regards,
Michael

Re: [nesta] Nesta and basic authentication

From:
Micah Chalmer
Date:
2013-02-19 @ 07:59
You shouldn't copy nesta's default app.rb into your own site's root 
directory.  Nesta's app.rb is already loaded by the nesta gem--in fact, 
it's the call to Overrides.load_local_app from nesta's app.rb that loads 
your own app.rb in the first place.  If you just want the default behavior
plus the basic auth protection, then your entire app.rb file can look like
this:

module Nesta
  class App
    use Rack::Auth::Basic, "My Realm" do |username, password|
      [username, password] == ['myusername', 'mypassword']
    end
  end
end

and it will do what you want.  If you have your own routes you can also 
add them there, and they will come before Nesta's default ones in the list
so that yours will supersede the defaults.

Alternatively, you could put the call to "use Rack::Auth::Basic" in your 
config.ru instead, just after "Bundler.require(:default)".  If you do 
this, and don't have any other customizations, then you don't even need 
your own app.rb.

Here's the mechanics of exactly what happened with your copy, in case 
you're curious: Near the top of nesta's app.rb is this line:
  
  require File.expand_path('../nesta', File.dirname(__FILE__))

which is looking for lib/nesta.rb within the gem.  But "../nesta.rb" does 
not exist relative to your project root, so your copy of the file raises a
LoadError when it hits that line.  Nesta then silently swallows the 
LoadError exception, which looks like a bug in Nesta to me.  (It only 
swallows LoadError--other exceptions are not handled.)  You should have 
seen the LoadError just like you would have seen any other error that 
occurred while loading your app.  The message wouldn't have been 
super-obvious, but at least it would have clued you in that there was a 
problem that was causing your code not to be loaded.  I assume the reason 
it silently ignores LoadError exceptions is because it doesn't want to 
error out if a local app.rb isn't present.  But it's suppressing more than
was intended it seems.

-Micah

On Feb 19, 2013, at 12:49 AM, Michael J. Rivard wrote:

> Hello,
> 
> I need to password-protect a Nesta-based website that will be put on 
Heroku so that only its owner and I can see it (because it's not ready to 
go public yet). I copied `bundle show nesta`/lib/nesta/app.rb to my Nesta 
website's root directory and inserted three lines into my copy of app.rb 
to look like this:
> 
>    Overrides.load_theme_app
> 
>    use Rack::Auth::Basic, "My Realm" do |username, password|
>      [username, password] == ['myusername', 'mypassword']
>    end
> 
>    get '/robots.txt' do
> 
> ("Overrides.load_theme_app" and "get '/robots.txt' do" already existed 
in app.rb; the lines between them are what I inserted.)
> 
> The problem is that when I point my browser to the website, it displays 
the web page without prompting me for a username and password. It's as if 
my copy of app.rb is being ignored.
> 
> I'm running the site in Apache/Passenger, and I tried restarting Apache.
I also tried using shotgun (so that I could see any possible error/warning
messages), but got the same result (and there were no warning/error 
messages). I also tried putting app.rb in ${website_root}/lib/nesta/, but 
got the same result.
> 
> BTW, I'm using the version of Nesta that was in the GitHub master branch
on 2/17/2013.
> 
> I'm a complete Ruby newbie, so I'm sure it's because I've omitted 
something that's very fundamental. In any case, any advice would be 
sincerely appreciated.
> 
> Regards,
> Michael
> 

Re: [nesta] Nesta and basic authentication

From:
Graham Ashton
Date:
2013-02-19 @ 11:44
On 19 Feb 2013, at 07:59, Micah Chalmer <micah@micahchalmer.net> wrote:

> You shouldn't copy nesta's default app.rb into your own site's root directory.

This has bitten a few people recently, which leads me to suspect that 
somewhere, I've written documentation that suggests that this is the way 
to do it.

I consider it a bug in the docs.

Michael - can you shed any light on how I might fix it? It's difficult for
me to know where to write the relevant paragraph.

> Nesta then silently swallows the LoadError exception, which looks like a
bug in Nesta to me.  (It only swallows LoadError--other exceptions are not
handled.)

I agree, and I've just patched it. It now checks if app.rb exists before 
trying to require it.

https://github.com/gma/nesta/commit/49a7c189cf124bdc29b37bec14d3da40411478ab

> I assume the reason it silently ignores LoadError exceptions is because 
it doesn't want to error out if a local app.rb isn't present.  But it's 
suppressing more than was intended it seems.

Spot on. 

-- 
Graham Ashton
Founder, The Agile Planner
http://theagileplanner.com | @agileplanner | @grahamashton