Back and Forth #7: Secure React Page

Birm shows Chris how to secure a React page so only authorized users can view it. Have a question or a topic you would like us to talk about then give a us a shout.

Posted in Back and Forth | Tagged , , , | Comments Off on Back and Forth #7: Secure React Page

Back and Forth #6: Add Google Authentication to React App Using Firebase

Birm shows Chris add how to add Google Authentication to a React App using Firebase. Have a question or a topic you would like us to talk about then give a us a shout.

Posted in Back and Forth | Tagged , , , | Comments Off on Back and Forth #6: Add Google Authentication to React App Using Firebase

Back and Forth #5: Add a Button to a React App

Birm and Chris add a button to a React application. Have a question or a topic you would like us to talk about then give a us a shout.

Posted in Back and Forth | Tagged , , | Comments Off on Back and Forth #5: Add a Button to a React App

Back and Forth #4: Hosting a React App on Firebase

Birm shows Chris how to host a React App as a static website on Firebase. Have a question or a topic you would like us to talk about then give a us a shout.

Posted in Back and Forth | Tagged , , , | Comments Off on Back and Forth #4: Hosting a React App on Firebase

Back and Forth #3: Docker Image for Node React Application

Chris and Birm create a Docker image for a Node React application. Have a question or a topic you would like us to talk about then give a us a shout.

Posted in Back and Forth | Tagged , , , , | Comments Off on Back and Forth #3: Docker Image for Node React Application

Back and Forth #2: Vimium

Brim shows Chris how he uses Vim key bindings to navigate the web. Have a question or a topic you would like us to talk about then give a us a shout.

Posted in Back and Forth | Tagged , , | Comments Off on Back and Forth #2: Vimium

Back and Forth #1: Fix a React Bug

Chris and Birm fix a bug in a React website. Have a question or a topic you would like us to talk about then give a us a shout.

Posted in Back and Forth | Tagged , , | Comments Off on Back and Forth #1: Fix a React Bug

SMALL BUSINESS AND THE THREE CONTRACTORS

Check out this post I wrote for Corgibytes about balancing maintenance work with new features when modernizing software. Special thanks go out to my fellow Corgis for their constructive feedback. They convinced me keep the overall idea but re-write my first draft. Plus they fixed my spelling and grammar errors that regular readers of this site are used too.

Goldilocks and the three bears

Posted in Business Side, Corgibytes | Tagged , | Comments Off on SMALL BUSINESS AND THE THREE CONTRACTORS

A Ruby-Type Talk featuring Sorbet

Last Saturday at the Edmonton Ruby Meetup (YEGRB) I discussed type checking, Sorbet, and integrating Sorbet into an existing Rails application.

Feedback and questions are most welcome. Thanks you to YEGRB for hosting and for everyone that participated in the live stream.

Posted in Code Examples, Presentations | Tagged , , , | Comments Off on A Ruby-Type Talk featuring Sorbet

Today I Learned how to Secure the Delayed Job Page with Spree Users

A client has an online store that is powered by an older version of Spree. I’m in the process of upgrading it and adding features to it at the same time. It’s a slow process as upgrading to newer versions of Spree, which also requires upgrading Ruby and Rails, is no easy task.

One customization the customer has is a delayed job that fires when a order is complete. The delayed job preforms some tasks that can take a while hence why they are done in a separate process after the order is completed.

Recently there was some issues with the delayed job task that forced me look how the delayed jobs where setup and managed. I found a couple things should be fixed, such as not deleting failed jobs. Not being able to find the error message for failed job was pain.

The most serious issue I discovered was in the page to view the delayed jobs, which used the Delayed Job Web gem. Access to the page was restricted by a password (good) but was only done use HTTP basic auth (bad) and had a hard coded password from a previous developer (bad).

Reviewing the Delayed Job Web documentation I found that it does support authenticating with Devise. That was good as Spree also uses Devise for authentication. After some research, trail and error I found that the following will work only allow Spree Admin’s to access the delayed job page:

# config/routes.rb

Spree::Core::Engine.routes.prepend do
  authenticated :spree_user, -> spree_user { spree_user.admin? } do
    mount DelayedJobWeb, at: "/delayed_job"
  end
end

Notice instead of using just :user we need to use :spree_user. Not if someone tries to view the delayed job page when not logged in or as an non-admin Spree user then a 404 error is returned.

Page not found error message if not logged in as Admin.

If logged in as a Spree admin then you can view the page as normal.

Delayed job page displayed if logged in as Spree admin.

I struggled to create unit tests for the above. At first I just created some RSpec route tests:

# spec/routing/delayed_job_spec.rb

require 'rails_helper'

describe 'routes for delayed jobs', type: :routing do
  routes { Spree::Core::Engine.routes }

  context 'user not logged in' do
    it 'they cannot see the route' do
      expect(:get => "/delayed_job").to_not be_routable
      expect(:post => "/delayed_job").to_not be_routable
    end
  end

  context 'user logged in' do
    before(:each) do
      login_user
    end

    it 'they cannot see the route' do
      expect(:get => "/delayed_job").to_not be_routable
      expect(:post => "/delayed_job").to_not be_routable
    end
  end

  context 'user logged in as admin' do
    before(:each) do
      login_admin
    end

    it 'they can see the route' do
      expect(:get => "/delayed_job").to be_routable
      expect(:post => "/delayed_job").to be_routable
    end
  end
end

Unfortunately that failed with an error:

NoMethodError: undefined method 'authenticate?' for nil:NilClass

Turns out this is a known issue with Rails 3 and Devise as outlined here. So instead I created integration tests for the delayed job security using Cucumber.

# features/delayed_job.feature

@javascript
Feature: Delayed Job

  @allow-rescue
  Scenario: I can't view Delayed Job page if I'm not logged in
    When I visit the delayed job page
    Then I get a 404 error

  @allow-rescue
  Scenario: I can't view Delayed Job page if I'm not an admin
    Given I am logged in as a user
    When I visit the delayed job page
    Then I get a 404 error

  Scenario: I can view Delayed Job page if I'm logged in as admin
    Given I am logged in as an administrator
    When I visit the delayed job page
    Then I can see the delayed job page
# features/step_definitions/delayed_job_steps.rb

When(/^I visit the delayed job page$/) do
  visit "/delayed_job"
end

Then(/^I get a 404 error$/) do
  expect(page).to have_text('Routing Error No route matches [GET] "/delayed_job"')
end

Then(/^I can see the delayed job page$/) do
  expect(page).to have_text('The list below shows an overview of the jobs in the delayed_job queue')
end

While not unit tests having integration tests is better then nothing.

As I continue to upgrade the client’s Spree store I’ll eventually replace the unsupported delayed_job gem with something that is. Perhaps Active Job or Sidekiq.

P.S. – One of the first songs that come up when I searched for songs about jobs. Never heard it before but it made me chuckle.

Take this job and shove it
I ain’t workin’ here no more
My woman done left and took all the reasons
I was working for
Ya better not try to stand in my way
As I’m walkin’, out the door
Take this job and shove it
I ain’t workin’ here no more

Posted in Today I Learned | Tagged , , , , , | Comments Off on Today I Learned how to Secure the Delayed Job Page with Spree Users