Disable Rails host authorization in development

In development Rails (6+) includes a middleware that rejects a request with a 403 response if its host isn't present in the allowlist (a security feature). This prevents Parklife from working in a Rails app out of the box unless you manually add the expected Parklife base to the hosts allowlist or set it to nil to disable it - both of which aren't great because they disable the security feature whenever the development server is booted. https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization However it's safe to remove the middleware via Parklife because it won't be executed in the normal Rails development flow, only via a Parkfile when parklife/rails is required.
benpickles · Mar 26, 2023 · 6d1cc64 · 6d1cc64
1 parent e28a997
commit 6d1cc64
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/lib/parklife/rails.rb b/lib/parklife/rails.rb
@@ -20,6 +20,25 @@ def base=(value)
   end
 
   class Railtie < Rails::Railtie
+    initializer 'parklife.disable_host_authorization' do |app|
+      # The offending middleware is included in Rails (6+) development mode and
+      # rejects a request with a 403 response if its host isn't present in the
+      # allowlist (a security feature). This prevents Parklife from working in
+      # a Rails app out of the box unless you manually add the expected
+      # Parklife base to the hosts allowlist or set it to nil to disable it -
+      # both of which aren't great because they disable the security feature
+      # whenever the development server is booted.
+      #
+      # https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
+      #
+      # However it's safe to remove the middleware at this point because it
+      # won't be executed in the normal Rails development flow, only via a
+      # Parkfile when parklife/rails is required.
+      if defined?(ActionDispatch::HostAuthorization)
+        app.middleware.delete(ActionDispatch::HostAuthorization)
+      end
+    end
+
     config.after_initialize do
       Parklife.application.config.app = Rails.application
 

diff --git a/spec/parklife/rails_spec.rb b/spec/parklife/rails_spec.rb
@@ -67,4 +67,8 @@
       [rails_app.default_url_options, ActionController::Base.relative_url_root]
     }
   end
+
+  it 'removes host authorization middleware' do
+    expect(Rails.application.middleware).not_to include(ActionDispatch::HostAuthorization)
+  end
 end