TommyBlue.it

API Authentication with Phoenix and React - part 2

Tommaso Visconti — Sat, 31 Mar 2018 21:34:35 GMT

In the first part of this post I've shown how to configure the API server to let the user authenticate, return an authentication token, and request it to access protected routes.
Now I'm going to configure a React app to consume that API and manage authentication.

The app uses React Router to manage routes and Redux for the state of the app.

Protect private routes

I'm going to define a PrivateRoute component as a wrapper around Route. The component will check the user authentication.

The router configuration will have a standard Route component for the Login page and will use PrivateRoute for the rest of the routes:

The PrivateRoute component will check the isAuthenticated flag in the state and will redirect back to login if false or will render the private component otherwise:

import React from 'react';
import { Route, Redirect } from 'react-router-dom';
import { connect } from 'react-redux';

const mapStateToProps = state => {
    return {
        isAuthenticated: state.isAuthenticated,
    };
};

class PrivateRoute extends React.Component {
    render() {
        if (!this.props.isAuthenticated) {
            return (
                
            );
        }

        return (
            
        );
    }
}

export default connect(mapStateToProps)(PrivateRoute);

Sign in and receive the token from the server

The Login component will simply show a form and will manage the initial authentication, saving the token in a cookie for later use:

import React from 'react';
import { connect } from 'react-redux';

import {
    signIn,
} from '../actions';

const mapStateToProps = state => {
    return {
        isAuthenticated: state.isAuthenticated,
    };
};

const mapDispatchToProps = dispatch => {
    return {
        onSignIn: (email, password) => dispatch(signIn(email, password)),
    };
};

class Login extends React.Component {
    constructor(props) {
        super(props);
        this.onSignIn = this.onSignIn.bind(this);
        this.state = {email: "", password: ""};
    }

    render() {
        return (
            
                Login
                {this.props.isAuthenticated ? this.alreadyAuthenticated() : this.form()}
            
        );
    }

    alreadyAuthenticated() {
        return ("You're already authenticated.")
    }

    form() {
        return (
            
                
                    Email
                    
                         this.setState({...this.state, email: e.target.value})}
                        />
                    
                

                
                    Password
                    
                         this.setState({...this.state, password: e.target.value})}
                        />
                    
                

                
            
        );
    }

    onSignIn() {
        this.props.onSignIn(this.state.email, this.state.password);
    }
}

export default connect(
    mapStateToProps,
    mapDispatchToProps
)(Login);

The signIn action is where the "magic" happens:

export const signIn = (email, password) => ((dispatch) => {
    return fetch(`http:///api/sessions/sign_in}`, {
        method: "POST",
        headers: {
            'Accept': 'application/json',
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({email, password}),
      }).then(
        response => {
            if (!response.ok) {
                // Manage error
                return dispatch(errorOnFetch(response.statusText));
            }
            return response.json().then(response => dispatch(signInSuccessfull(response.data)));
        },
        error => {
            return dispatch(errorOnFetch(error))
        }
    );
});

const signInSuccessfull = (data) => {
    setAuthToken(data.token);
    return {
        type: AUTHENTICATION_SUCCEDED,
    }
};

Two main things happen in the signInSuccessfull method: the token returned by the server is passed to the setAuthToken method and the AUTHENTICATION_SUCCEEDED action is returned to the redux reducer.

The reducer sets the isAuthenticated flag to true (do you remember the check in the PrivateRoute component?):

const mainReducer = (state = initialState, action) => {
    switch (action.type) {
        case AUTHENTICATION_SUCCEDED:
            return ({...state,
                isAuthenticated: true,
            });
        case AUTHENTICATION_SIGNOUT:
            return ({...state,
                isAuthenticated: false,
            });
    }
}

The setAuthToken method saves the token in a cookie, so that it will be then available for the next requests:

const setAuthToken = (token) => {
    const cookies = new Cookies();
    cookies.set('my_auth_token', token, {
        path: '/'
    });
};

I'm using the universal-cookie package here, so we need to install it:

yarn add universal-cookie

Other useful methods will permit to get the cookie or delete it:

export const getAuthToken = () => {
    const cookies = new Cookies();
    return cookies.get('my_auth_token');
};

const removeAuthToken = () => {
    const cookies = new Cookies();
    cookies.remove('my_auth_token', {
        path: '/',
    });
};

Use the token for private routes

At this point we have a valid token saved in a cookie. We just need to use it when making a request for a private API endpoint.

I'll use a wrapper function around fetch to add the Authorization header to the requests:

const authFetch = (url, options) => (
    fetch(url, mergeAuthHeaders(options)).then(
        response => {
            // Sign out if we receive a 401!
            if (response.status === 401) {
                store.dispatch(signOut());
                throw new Error("Unauthorized");
            }
            return response;
        },
        error => error
    )
);

const mergeAuthHeaders = (baseOptions) => {
    const options = _.isUndefined(baseOptions) ? {} : baseOptions;
    if (!_.has(options, 'headers')) {
        options.headers = {};
    }
    options.headers = {
        ...options.headers,
        'Authorization': `Bearer ${getAuthToken()}`,
    };
    return options;
}

The authFetch method receives a URL to fetch and the options for the fetch method. It merges the authentication header in the options and makes the request.
If it receives a 401 response, then it makes the sign out, deleting the cookie and setting the isAuthenticated flag to false:

export const signOut = () => {
    removeAuthToken();
    return {
        type: AUTHENTICATION_SIGNOUT,
    }
};

That's it, you should probably add more logic to manage side cases and errors, but this is enough to consume the APIs we built.

API Authentication with Phoenix and React - part 1

Tommaso Visconti — Wed, 28 Mar 2018 22:08:09 GMT

Scenario: you just wrote a cool web app using React for the frontend part and Phoenix as the API server.
Then you realize everybody can poke around your stuff and you decide it’s time to restrict the access to known users, how to do it?

I’ll configure a Phoenix server to manage access tokens, used by a React app to make authenticated calls.

This blog post only deals with the backend part and consists of these steps:

add users and give them the ability to sign in
manage authentication tokens for the users
define a pipeline to grant access to restricted routes only to authenticated requests

I’m not going to cover the SSL configuration here, but it’s fundamental to only serve the endpoints over HTTPS. You can check out this article which explains how to force SSL in Phoenix.

Create the Users

Let’s create the schemas for the User:

$ mix phx.gen.schema User users email:string:unique password_hash:string

The mix command doesn’t accept any option to avoid null values, so the migration files must be edited.
This is the final version of the migration file (only the relevant parts):

create table(:users) do
  add :email, :string, null: false
  add :password_hash, :string, null: false
  timestamps()
end
create unique_index(:users, [:email])

We're going to save hashed password, not clear-text passwords, so our schema will have a virtual password field which, behind the scenes, will be hashed and saved.

To crypt passwords we’re going to use the Comeonin lib, that must be added to the dependencies, together with BCrypt (don’t forget to run mix deps.get after you made the changes):

# mix.exs
defp deps do
  [...]
  {:comeonin, "~> 4.0"},
  {:bcrypt_elixir, "~> 1.0"}
end

Let’s now see the User module:

defmodule MyApp.User do
  use Ecto.Schema
  import Ecto.Changeset
  alias MyApp.User
  
  schema "users" do
    field :email, :string
    field :password_hash, :string
    field :password, :string, virtual: true
    timestamps()
  end
  
  def changeset(%User{} = user, attrs) do
    user
    |> cast(attrs, [:email, :password])
    |> validate_required([:email, :password])
    |> unique_constraint(:email, downcase: true)
    |> put_password_hash()
  end
  
  defp put_password_hash(changeset) do
    case changeset do
      %Ecto.Changeset{valid?: true, changes: %{password: pass}} ->
        put_change(
            changeset, 
            :password_hash, 
            Comeonin.Bcrypt.hashpwsalt(pass)
        )
      _ ->
        changeset
    end
  end
end

At this point we can create new users:

$ iex -S mix
iex(1)> MyApp.repo.insert!(MyApp.User.changeset(
  %MyApp.User{}, %{
    email: “my_email@provider.com”, 
    password: “s3cr3t”
  }
))
[..]
%MyApp.User{
  __meta__: #Ecto.Schema.Metadata<:loaded, "users">,
  email: "my_email@provider.com",
  id: 1,
  inserted_at: ~N[2018-03-24 22:47:37.981969],
  password: "s3cr3t",
  password_hash: "",
  updated_at: ~N[2018-03-24 22:47:37.984213]
}

User tokens

Ok, now that we have users, we must generate tokens for them, so that they can access restricted routes.

The first step is to create the schema:

$ mix phx.gen.schema AuthToken auth_tokens user_id:references:users token:text:unique revoked:boolean revoked_at:utc_datetime

As before, we must edit the migration to add missing null: false:

create table(:auth_tokens) do
  add :user_id, references(:users, on_delete: :nothing), null: false
  add :token, :text, null: false
  add :revoked, :boolean, default: false, null: false
  add :revoked_at, :utc_datetime
  timestamps()
end
create unique_index(:auth_tokens, [:token])
create index(:auth_tokens, [:user_id])

The schema is the following:

defmodule MyApp.AuthToken do
  use Ecto.Schema
  import Ecto.Changeset
  alias MyApp.AuthToken
  alias MyApp.User
  
  schema "auth_tokens" do
    belongs_to :user, User
    field :revoked, :boolean, default: false
    field :revoked_at, :utc_datetime
    field :token, :string
    timestamps()
  end
  
  def changeset(%AuthToken{} = auth_token, attrs) do
    auth_token
    |> cast(attrs, [:token])
    |> validate_required([:token])
    |> unique_constraint(:token)
  end
end

We’ve added the belongs_to relationship there, we must also edit the User schema adding:

schema "users" do
  has_many :auth_tokens, MyApp.AuthToken
  [...]
end

We’re going to need a bunch of methods to deal with authorization headers and tokens, so a service could be useful.
Let’s create an Authenticator service with the first methods we’ll use to generate and verify tokens with Phoenix.Token:

defmodule MyApp.Services.Authenticator do
  # These values must be moved in a configuration file
  @seed "user token"
  # good way to generate: 
  # :crypto.strong_rand_bytes(30) 
  # |> Base.url_encode64 
  # |> binary_part(0, 30)
  @secret "CHANGE_ME_k7kTxvFAgeBvAVA0OR1vkPbTi8mZ5m"
  
  def generate_token(id) do
    Phoenix.Token.sign(@secret, @seed, id, max_age: 86400)
  end
  
  def verify_token(token) do
    case Phoenix.Token.verify(@secret, @seed, token, max_age: 86400) do
      {:ok, id} -> {:ok, token}
      error -> error
    end
  end
end

Sign in and out the users

We now need to let the users sign in (create a token for the user) and sign out (delete the token).

We’ll manage the logic inside the User module:

defmodule MyApp.User do
  [...]
  alias MyApp.Services.Authenticator
  
  def sign_in(email, password) do
    case Comeonin.Bcrypt.check_pass(Repo.get_by(User, email: email), password) do
      {:ok, user} ->
        token = Authenticator.generate_token(user)
        Repo.insert(Ecto.build_assoc(user, :auth_tokens, %{token: token}))
      err -> err
    end
  end
  
  def sign_out(conn) do
    case Authenticator.get_auth_token(conn) do
      {:ok, token} ->
        case Repo.get_by(AuthToken, %{token: token}) do
          nil -> {:error, :not_found}
          auth_token -> Repo.delete(auth_token)
        end
      error -> error
    end
  end
end

The first line of the sign_in function looks for the user in the Repo then passes it to Bcrypt.check_pass together with the provided password, to verify it.

In the case the user can’t be found, check_pass receives a wrong user and returns {:error, "invalid user-identifier"} while in the case the password verification fails it returns {:error, "invalid password"}.
So, in both cases, we return a {:error, reason} tuple (we’ll later use this in the controller).

If the user is found and the password is valid, we create a token for the user and return it.

The sign_out function looks for the token in the header and deletes it if found.

The function that extracts the token is based on a simple regexp:

defmodule MyApp.Services.Authenticator do
  [...]
  def get_auth_token(conn) do
    case extract_token(conn) do
      {:ok, token} -> verify_token(token)
      error -> error
    end
  end
  
  defp extract_token(conn) do
    case Plug.Conn.get_req_header(conn, "authorization") do
      [auth_header] -> get_token_from_header(auth_header)
       _ -> {:error, :missing_auth_header}
    end
  end
  
  defp get_token_from_header(auth_header) do
    {:ok, reg} = Regex.compile("Bearer\:?\s+(.*)$", "i")
    case Regex.run(reg, auth_header) do
      [_, match] -> {:ok, String.trim(match)}
      _ -> {:error, "token not found"}
    end
  end
end

At this point all the underground pieces are in place, but we need to create the endpoints to let the user make the actions.

First, add the required routes:

scope "/sessions" do
  post "/sign_in", SessionsController, :create
  delete "/sign_out", SessionsController, :delete
end

We can check the result with mix phx.routes:

sessions_path  POST    /sessions/sign_in    MyApp.SessionsController :create
sessions_path  DELETE  /sessions/sign_out    MyApp.SessionsController :delete

We must then create the SessionsController:

defmodule MyAppWeb.SessionsController do
  use MyAppWeb, :controller
  alias MyApp.User
  
  def create(conn, %{"email" => email, "password" => password}) do
    case User.sign_in(email, password) do
      {:ok, auth_token} ->
        conn
        |> put_status(:ok)
        |> render("show.json", auth_token)
      {:error, reason} ->
        conn
        |> send_resp(401, reason)
    end
  end
  
  def delete(conn, _) do
    case User.sign_out(conn) do
      {:error, reason} -> conn |> send_resp(400, reason)
      {:ok, _} -> conn |> send_resp(204, "")
    end
  end
end

and its view:

defmodule MyAppWeb.SessionsView do
  use MyAppWeb, :view
  def render("show.json", auth_token) do
    %{data: %{token: auth_token.token}}
  end
end

Done, it’s now time to make some tests calling these endpoints. I personally use Advanced Rest Client (aka ARC), a Chrome extension to make HTTP calls.

To test sign in, we must make a POST call to http://localhost:4000/sessions/sign_in with the following JSON body:

{
  "email":"my_email@provider.com",
  "password": "s3cr3t"
}

If we didn’t make any error we’ll get back the token in a json structure as we defined in show.json:

{
  "data": {
    "token": "SFMyNTY.g3QAAAAC[...cut...]"
  }
}

Now make a DELETE call against http://localhost:4000/sessions/sign_out, adding an authorization header in the form: Authorization: Bearer SFMyNTY.g3QAAAAC[…cut…]. You should receive a 204 response.

Take a look at the database for further feedback. A new token for the user must be created at sign in and it must be deleted at sign out.

Require the token to access restricted routes

We’re almost there: users are able to sign in and receive an authentication token, we should now restrict the access to private routes requiring an authorization token.

The key is a basic component of Phoenix: the Plug.

To apply one or more plugs to routes, we need to create a pipeline and pipe the routes through it:

defmodule MyAppWeb.Router do
  pipeline :authenticate do
    plug MyAppWeb.Plugs.Authenticate
  end
  scope "/restricted", Restricted do
    pipe_through :authenticate
    resources "/private"
    # more routes
  end
  [...]
end

The Authenticate plug will look for the authorization token in the request headers and will validate it. Only requests with valid tokens will go through. Invalid requests will get a 401 response.

This is the plug file:

defmodule MyAppWeb.Plugs.Authenticate do
  import Plug.Conn
  def init(default), do: default
  
  def call(conn, _default) do
    case MyApp.Services.Authenticator.get_auth_token(conn) do
      {:ok, token} ->
        case MyApp.Repo.get_by(MyApp.AuthToken, %{token: token, revoked: false}) 
        |> Repo.preload(:user) do
          nil -> unauthorized(conn)
          auth_token -> authorized(conn, auth_token.user)
        end
      _ -> unauthorized(conn)
    end
  end
  
  defp authorized(conn, user) do
    # If you want, add new values to `conn`
    assign(conn, :signed_in, true)
    assign(conn, :signed_user, user)
    conn
  end
  
  defp unauthorized(conn) do
    conn |> send_resp(401, "Unauthorized") |> halt()
  end
end

Revoke a compromised token

In the case a token is somehow “compromised”, the user can revoke it.

We need a new restricted route which updates the compromised token setting the revoked=true and revoked_at=.

I’m going to leave this as an exercise for the readers.

Consume the APIs with React

In the next part of this guide, I’ll show how to use what done here in a frontend app built using React. Read it here.

Note: JWT and why I didn’t use it

In the first iteration of the code I decided to use Guardian and JWT (JSON Web Tokens) but then I realized I couldn’t revoke tokens without store them in the db and actually make a query at each API call (and avoiding a query was the main reason that lead me to use JWT), so I decided it was a over-engineered solution and moved to the integrated Phoenix.Token.

If you’re interested in the JWT revoke topic, check the GuardianDB README which has a good explanation:

In other words, once you have reached a point where you think you need Guardian.DB, it may be time to take a step back and reconsider your whole approach to authentication!

References

React+Sass+Typescript with Phoenix framework using Webpack

Tommaso Visconti — Tue, 05 Sep 2017 21:37:00 GMT

If you’re playing with Elixir and Phoenix you’ll probably already know that Phoenix uses Brunch.io to build the assets pipeline.
I initially started building my app with React / Redux + SASS and I was quite happy, but when I decided to add Typescript to the recipe, I found Brunch.io wasn’t very helpful!

I’ve already used these tools using Webpack as building tool, so I decided to switch to it.
I had a working Webpack configuration I was using in other projects, so I only had to find out how to apply it to Phoenix.

When I initially generated the Phoenix app, I didn’t use the --no-brunch command line flag to generate it without Brunch, and the app itself was alreadyt working. So I wanted to replace the existing Brunch config with the new one without nuking any existing feature.

Below you can find the (few) steps required for this upgrade.

Remove Brunch and install Webpack

To remove Brunch, just remove the assets/brunch-config.js file and uninstall all brunch-related packages. In my case:

yarn remove brunch babel-brunch clean-css-brunch sass-brunch uglify-js-brunch

In the assets/package.json file you can also see that Brunch is mentioned in the scripts commands:

"scripts": {
  "deploy": "brunch build --production",
  "watch": "brunch watch --stdin"
},

Replace them with the Webpack commands (to run the webpack command you’d probably need to globally install it with yarn global add webpack):

"scripts": {
  "deploy": "webpack -p",
  "compile": "webpack --progress --color",
  "watch": "webpack --watch-stdin --progress --color"
},

You’re now ready to install the webpack ecosystem we’re going to use:

yarn add -D webpack babel-core babel-loader babel-preset-es2015 copy-webpack-plugin css-loader extract-text-webpack-plugin file-loader node-sass sass-loader style-loader webpack-notifier

Add Typescript to the project

To add Typescript support we need some more packages too:

yarn add -D typescript ts-loader tslint tslint-react @types/phoenix @types/react @types/react-dom @types/react-redux

The Typescript configuration file is assets/tsconfig.json:

{
  "compilerOptions": {
    "target": "es2015",
    "module": "es2015",
    "jsx": "preserve",
    "moduleResolution": "node",
    "baseUrl": "js",
    "outDir": "ts-build",
    "allowJs": true
  },
  "exclude": [
    "node_modules",
    "priv",
    "ts-build"
  ]
}

As you probably noticed in the previous command, I also installed TSLint support for linting features. Add the related package to your editor (like vscode-tslint for VSCode) to have (almost-)real-time linting warnings.
You also need a configuration file, here’s mytslint.json file:

{
  "extends": ["tslint:recommended", "tslint-react"],
  "rules": {
    "no-console": [false]
  }
}

Webpack configuration

Before configuring Webpack, let’s configure Babel, using the assets/.babelrc file:

{
  "presets": ["es2015", "react"]
}

And now, finally, the big part, the Webpack configuration file, assets/webpack.config.js:

const env = process.env.NODE_ENV
const path = require("path")
const ExtractTextPlugin = require("extract-text-webpack-plugin");
const CopyWebpackPlugin = require("copy-webpack-plugin")
const config = {
  entry: ["./css/app.scss", "./js/app.js"],
  output: {
    path: path.resolve(__dirname, "../priv/static"),
    filename: "js/app.js"
  },
  resolve: {
    extensions: [".ts", ".tsx", ".js", ".jsx"],
    modules: ["deps", "node_modules"]
  },
  module: {
    rules: [{
      test: /\.tsx?$/,
      use: ["babel-loader", "ts-loader"]
    }, {
      test: /\.jsx?$/,
      use: "babel-loader"
    }, {
      test: /\.scss$/,
      use: ExtractTextPlugin.extract({
        use: [{
          loader: "css-loader",
          options: {
            minimize: true,
            sourceMap: env === 'production',
          },
        }, {
          loader: "sass-loader",
          options: {
            includePaths: [path.resolve('node_modules')],
          }
        }],
        fallback: "style-loader"
      })
    }, {
      test: /\.(ttf|otf|eot|svg|woff(2)?)(\?[a-z0-9]+)?$/,
      // put fonts in assets/static/fonts/
      loader: 'file-loader?name=/fonts/[name].[ext]'
    }]
  },
  plugins: [
    new ExtractTextPlugin({
      filename: "css/[name].css"
    }),
    new CopyWebpackPlugin([{ from: "./static" }])
  ]
};
module.exports = config;

Final polishing and tests

The final step is to update the main template file app.html.eex to use the generated files (that you can find in the priv/static folder once compiled):

[..]
">
[..]

The whole pipeline is now ready, except we must tell Phoenix to run Webpack when the server is launched.
At the moment you can already test the pipeline running, from the assets/ folder, the command: yarn run compile

To configure Phoenix, update the config/dev.exs file replacing Brunch command with Webpack:

watchers: [
  node: [
    "node_modules/webpack/bin/webpack.js", "--watch-stdin", "--progress", "--color",
    cd: Path.expand("../assets", __DIR__)
  ]
]

That’s it.
Run mix phx.server and you’ll have both the Phoenix server running and the assets pipeline compiled and watching for file updates.

How to access docker containers with nsenter

Tommaso Visconti — Fri, 25 Jul 2014 13:09:57 GMT

Since the 0.9 version, Docker is shipped with the libcontainer execution driver and the containers can be accessed with the nsenter util (e.g. you don't need to install SSH in a container anymore!).

Nsenter is included in the util-linux package, from version 2.23.

If your distribution has an older versione of util-linux, you can compile it:

~$ curl https://www.kernel.org/pub/linux/utils/util-linux/v2.24/util-linux-2.24.tar.gz | tar -zxf-
~$ cd util-linux-2.24
~$ ./configure --without-ncurses
~$ make nsenter
~$ sudo cp nsenter /usr/local/bin

To enter a container you need to know its pid, which can be found with docker inspect knowing its ID:

~$ PID=$(docker inspect --format '{{.State.Pid}}' CONTAINER_ID)

Using the PID you can then enter the container:

~$ sudo nsenter --target $PID --mount --uts --ipc --net --pid /bin/bash

If you don't specify which program launch inside the container, ${SHELL} is run. I prefer to specify it (/bin/bash) because I use ZSH but I don't usually want to to install it inside the containers.

Basic setup for a Node.js-based TDD Code Kata

Tommaso Visconti — Fri, 27 Jun 2014 15:36:57 GMT

In the last post I suggested a minimal setup to begin with ruby-based TDD. In this post I want to show a possibile minimal setup for node.js-based TDD (node.js and npm must be installed). The kata will be again The Game of Life.

I'm not an expert of Node.js, so I hope what I'm writing is correct :)

I'll use the test framework Mocha and expect.js, a "Minimalistic BDD-style assertions for Node.JS and the browser".

Let's begin with the package.json file which will tell to npm what to install:

{
  "name": "game-of-life",
  "version": "0.0.1",
  "dependencies": {
    "mocha": "*",
    "expect.js": "*"
  }
}

With this file in the project folder you can run npm install to install the libraries. Then create the test/ folder with the mocha.opts file, where you can specify various options, like the reporter to use:

--reporter spec

With this file in place, the mocha command will launch the test.
So write the minimal js file and its corresponding test file:

test/game_of_life_test.js:

var expect = require('expect.js'),
  GameOfLife = require('../lib/game_of_life');

describe('Universe', function(){
  it('should have an initial size', function() {
    var u = new GameOfLife(6)
    expect(u.getSize()).to.equal(36);
  });
})

lib/game_of_life.js:

function GameOfLife(side){
  this.size = side * side;
}
GameOfLife.prototype.getSize = function() { return this.size; }

module.exports = GameOfLife;

Now launch mocha and the first test should pass:

~$ mocha

  Universe
    âœ“ should have an initial size 

  1 passing

To know something more about TDD and Node.js, start reading this post from Azat Mardan

Basic setup for a Ruby-based TDD Code Kata

Tommaso Visconti — Tue, 24 Jun 2014 12:53:00 GMT

In the last weeks with the guys of the Firenze Ruby Social Club we started to think about organizing some Code Katas to play with test-driven development and yesterday we met to play with The Game of Life.

We used Ruby and RSpec with a simple setup that I want to report here if you'd like to play with some katas.

Although probably a Kata exercise won't need many gems, in ruby projects I like to always use a Gemfile with the required gems:

ruby '2.1.2'
source 'https://rubygems.org'
gem 'rspec'

After a bundle install you're ready to start writing some code (if you don't have the bundle command, install the bundler gem with gem install bundler).

A basic example to begin TDD with the Game of Life could be this:

game_of_life_spec.rb:

require './game_of_life'

describe GameOfLife::Universe do
  it "should have an initial size" do
    u = GameOfLife::Universe.new(6)
    expect(u.size).to eq(36)
  end
end

game_of_life.rb:

module GameOfLife
  class Universe
    attr_reader :size
    def initialize(side)
      @size = side**2
    end
  end
end

With this minimalistic setup, the test passes:

~$ bundle exec rspec --color game_of_life_spec.rb
.

Finished in 0.00095 seconds (files took 0.0966 seconds to load)
1 example, 0 failures

You're now ready to start playing with TDD in Ruby :)

How to logrotate rails logs

Tommaso Visconti — Fri, 11 Apr 2014 08:59:27 GMT

If you deploy a rails app forgetting to configure logs automatic rotation, few weeks later won't be difficult to find something like this:

$ ls -lh log/production.log
  -rw-rw-r-- 1 www-data www-data 93,2M apr 10 17:49 production.log

Think if you have to find some error log inside a 100MB file, not easy... :)

Setting log rotation isn't difficult at all. I know two main ways.

Use syslog

This is a really easy solution. Rails will use standard syslog as logger, which means the logs will rotate automatically.

Open config/environments/production.rb and add this line:

config.logger = SyslogLogger.new

If you want to avoid your logs to be mixed with system logs you need to add some parameters:

config.logger = SyslogLogger.new('/var/log/.log')

Use logrotate

This is the cleaner way, but requires to create a file in the server, inside the /etc/logrotate.d/ folder. This is a possible content of the /etc/logrotate.d/rails_apps file:

/path/to/rails/app/log/*.log {
    weekly
    missingok
    rotate 28
    compress
    delaycompress
    notifempty
    copytruncate
}

The copytruncate option is required unless you want to restart the rails app after log rotation. Otherwise the app will continue to use the old log file, if it exists, or will stop logging (or, worse, will crash) if the file is deleted.
Below the copytruncate details from the logrotate man page:

copytruncate
      Truncate  the  original log file in place after creating a copy,
      instead of moving the old log file and optionally creating a new
      one,  It  can be used when some program can not be told to close
      its logfile and thus might continue writing (appending)  to  the
      previous log file forever.  Note that there is a very small time
      slice between copying the file and truncating it, so  some  log-
      ging  data  might be lost.  When this option is used, the create
      option will have no effect, as the old log file stays in  place.

To check the logrotate script you can use the logrotate command with the debug (-d) option, which executes a dry-run:

sudo logrotate -d /etc/logrotate.d/rails_apps

If everything seems ok you can wait until the next day or manually launch the rotation with:

sudo logrotate -v /etc/logrotate.d/rails_apps

Security checks for Ruby apps

Tommaso Visconti — Fri, 04 Apr 2014 13:51:10 GMT

If you, like me, have a lot of ruby apps and want to check if the code is vulnerable, Codesake::Dawn could be a useful gem.

This gem supports Rails, Sinatra and Padrino apps. To install it in a Rails app, add the gem to the development group in Gemfile:

group :development do
  gem 'codesake-dawn', require: false
end

then run bundle install.
Now add this line in the Rakefile:

require 'codesake/dawn/tasks'

Install finished. To check the app you just have to run rake dawn:run:

~$ rake dawn:run
15:27:03 [*] dawn v1.1.0 is starting up
15:27:04 [$] dawn: scanning .
15:27:04 [$] dawn: rails v4.0.3 detected
15:27:04 [$] dawn: applying all security checks
15:27:04 [$] dawn: 171 security checks applied - 0 security checks skipped
15:27:04 [$] dawn: 1 vulnerability found
15:27:04 [!] dawn: Owasp Ror CheatSheet: Session management check failed
15:27:04 [$] dawn: Severity: info
15:27:04 [$] dawn: Priority: unknown
15:27:04 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session.
15:27:04 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file.
15:27:04 [$] dawn: Evidence:
15:27:04 [$] dawn: 	In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack.
15:27:04 [$] dawn: 	{:filename=>"./config/initializers/session_store.rb", :matches=>[]}
15:27:04 [*] dawn is leaving

How to avoid mysqldump --events warning

Tommaso Visconti — Thu, 03 Apr 2014 15:54:53 GMT

Since MySQL v.5.5.29 the mysqldump command can generate the following error:

-- Warning: Skipping the data of table mysql.event. Specify the --events option explicitly.

An example of mysqldump for full dumps is this:

mysqldump --opt -u  -p --all-databases | gzip > full_dump.sql.gz

In a case of a server which executes it during periodical backups, this means a warning email from Cron Daemon, very annoying.

If you add, as suggested, the --events option you can receive this error:

mysqldump: Couldn't execute 'show events': 
  Access denied for user ''@'localhost' to database '' (1044)

The solution is to grant the EVENT permission to the user:

GRANT EVENT ON .* to ''@'localhost' with grant option;

Apparently if you don't care about events there's no way to suppress the error message with some --no-events option, as far as I know.
There's an interesting discussion about this (maybe-not-a-)bug here

Generate the sitemap of a Ghost blog during deploy

Tommaso Visconti — Wed, 02 Apr 2014 09:53:27 GMT

Waiting for a sitemap generator inside the core of Ghost (planned as "future implementation") I decided to implement a way to generate an up-to-date sitemap.xml during deployment.
As you can read in the previous post I'm deploying this blog with Capistrano and capistrano-node-deploy.
So I added a deploy:generate_sitemap task which is executed at the end of the deployment process.

This is the Capfile extract:

namespace :deploy do  
  task :generate_sitemap do
    run "cd #{latest_release} && ./ghost_sitemap.sh #{latest_release}"
  end
end
after "node:restart", "deploy:generate_sitemap"

So at the end of the deployment the ghost_sitemap.sh script is executed. The script is placed in the blog root and is a personalized version of the code you can find here: http://ghost.centminmod.com/ghost-sitemap-generator/

It essentially does 3 things:

Puts the sitemap.xml link in the robots.txt file
Scans (using wget) the website and generates the sitemap.xml file in the content folder
Notifies Google Webmaster Tools

What I changed of the original script is:

url="www.tommyblue.it"
webroot="${1}/content"
path="${webroot}/sitemap.xml"
user=''
group=''

user and group will be used to chmod the sitemap.xml file, so check that the web user (probably www-data) can read that file.

This process has a big problem: the sitemap is generated only during deploy, not when I publish a new post. A workaround is to run cap deploy:generate_sitemap after a new post is published.

It works but I need an automatic way. Any idea?

Deploy ghost blog with capistrano, rbenv and nvm

Tommaso Visconti — Tue, 01 Apr 2014 14:59:14 GMT

I just moved this blog from Jekyll to Ghost (v.0.4.2 while writing this post) and I had to find a fast way to deploy new changes to the server.
I'm pretty confident with Capistrano so, although Ghost doesn't use Ruby, I decided to use it to manage deployments.
A cool gem allow node apps to be deployed with Capistrano: capistrano-node-deploy

This is the Gemfile:

source 'https://rubygems.org'
gem 'capistrano', '~> 2.15.5'
gem 'capistrano-node-deploy', '~> 1.2.14'
gem 'capistrano-shared_file', '~> 0.1.3'
gem 'capistrano-rbenv', '~> 1.0.5'

If you don't use rbenv just remove the related line in the Gemfile and change the Capfile accordingly.

This configuration works well, but it has some problem if you use nvm instead of a system-wide installation of node and npm.

To fix them I had to add some variables (nvm_path, node_binary and npm_binary) and totally override the node:install_packages task. Whithout this changes the deploy task ends with messages like:

/usr/bin/env: node
No such file or directory

or:

node: not found

This isn't really a good way, because you must change the nvm_path every time you upgrade nvm, but it's the only way I actually found :)

I also changed the app_command variable to launch node ~/apps/tommyblue.it/current/index instead of node ~/apps/tommyblue.it/current/core/index in the upstart script. The second command doesn't actually works although is the gem's default.

This is the full content of the Capfile (remember to change to your own):

require "capistrano/node-deploy"
require "capistrano/shared_file"
require "capistrano-rbenv"
set :rbenv_ruby_version, "2.1.1"

set :application, "tommyblue.it"
set :user, ""
set :deploy_to, "/home/#{user}/apps/#{application}"

set :app_command, "index"

set :node_user, ""
set :node_env, "production"
set :nvm_path, "/home//.nvm/v0.10.26/bin"
set :node_binary, "#{nvm_path}/node"
set :npm_binary, "#{nvm_path}/npm"

set :use_sudo, false
set :scm, :git
set :repository,  ""

default_run_options[:pty] = true
set :ssh_options, { forward_agent: true }

server "", :web, :app, :db, primary: true

set :shared_files,    ["config.js"]
set :shared_children, ["content/data", "content/images"]

set :keep_releases, 3

namespace :deploy do
  task :mkdir_shared do
    run "cd #{shared_path} && mkdir -p data images files"
  end

  task :generate_sitemap do
    run "cd #{latest_release} && ./ghost_sitemap.sh #{latest_release}"
  end
end

namespace :node do
  desc "Check required packages and install if packages are not installed"
  task :install_packages do
    run "mkdir -p #{previous_release}/node_modules ; cp -r #{previous_release}/node_modules #{release_path}" if previous_release
    run "cd #{release_path} && PATH=#{nvm_path}:$PATH #{npm_binary} install --loglevel warn"
  end
end

after "deploy:create_symlink", "deploy:mkdir_shared"
after "node:restart", "deploy:generate_sitemap"
after "deploy:generate_sitemap", "deploy:cleanup"

Una nuova casa?

Tommaso Visconti — Tue, 18 Mar 2014 15:19:00 GMT

Recentemente non sono riuscito ad aggiornare molto questo blog. Spesso la causa non è stata la mancanza di contenuti, ma la non immediatezza della piattaforma. àˆ vero, con Jekyll mi sono divertito e l'idea di servire un sito statico secondo me è grandiosa, ma l'implementazione è effettivamente molto scarna e questo mi ha spesso fermato quando avrei voluto iniziare a scrivere un articolo e basta.

Da un po' di tempo mi sto quindi guardando intorno alla ricerca di una nuova piattaforma, nella convinzione che comunque non voglio usare Wordpress.

Per l'appunto nelle ultime settimane ho iniziato a riscrivere l'interfaccia di Rubyfatt utilizzando Ember e, quasi contemporaneamente, ho iniziato a sentir parlare di Ghost che ha appunto deciso di riscrivere l'interfaccia di amministrazione con Ember. Mi è subito sembrata un'occasione da cogliere al volo.

Sto lavorando sulla migrazione da Jekyll a Ghost, molto presto le pagine del blog potrebbero quindi cambiare aspetto per l'ennesima volta

Git: Content-addressable filesystem and Version Control System

Tommaso Visconti — Fri, 29 Nov 2013 11:03:40 GMT

GIT: Content-addressable filesystem and Version Control System from Tommaso Visconti

Automagically create and bootstrap Chef nodes on VMware vSphere with knife esx

Tommaso Visconti — Wed, 28 Aug 2013 09:21:45 GMT

Recently I decided to stop bothering me with "standard" system administration and I switched to a more devops-oriented administration using Chef.

After a few days I found a very useful gem, knife-esx which is a Knife plugin to create and bootstrap new VMware virtual machines on the fly. I patched it and its dependency gem esx because it wasn't possible to set the number of cores per virtual CPU, but now it is so, to create a new virtual machine and bootstrap it you just need to type:

 knife esx vm create \
       --free-license \
       --esx-host  \
       --esx-templates-dir /vmfs/volumes/datastore1/esx-gem/templates \
       --vm-name  \
       --guest-id ubuntu64Guest \
       --use-template ubuntu-12.04-x64_template.vmdk \
       --distro ubuntu12.04-gems \
       --vm-memory 512 \
       --vm-cpus 8 \
       --vm-cpu-cores 4 \
       -x  \
       -i ~/.ssh/id_rsa \
       --node-name  \
       -r 'role[base],role[esx-vm]'

How I deploy Rails apps

Tommaso Visconti — Wed, 17 Jul 2013 15:18:07 GMT

In various mailing lists I read a lot of threads about deploying a Rails app. I want to contribute to the topic with this post, where I'll describe how I'm now deploying my rails apps in a VPS (actually it's not a virtual but a physical server, but it's the same..).

In the past I used Pushion Passenger but it was a very young project and when Unicorn showed up, I felt in love :)
I wrote a similar post some years ago, the idea is the same, but the structure is now more solid.

The tools I'm now using are:

Unicorn as Rack HTTP server
Nginx as proxy server
Supervise (part of Daemontools) to monitor the unicorn app
Capistrano to manage the deploy
Rbenv to manage the ruby environment

The server's o.s. is Ubuntu 12.04 LTS.

Rbenv

To install rbenv and ruby-build:

sudo apt-get install build-essential zlib1g-dev openssl libopenssl-ruby1.9.1 libssl-dev libruby1.9.1 libreadline-dev git-core
git clone https://github.com/sstephenson/rbenv.git ~/.rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL -l
mkdir -p ~/.rbenv/plugins
cd ~/.rbenv/plugins
git clone git://github.com/sstephenson/ruby-build.git
rbenv install 2.0.0-p247
rbenv rehash
rbenv global 2.0.0-p247
rbenv local 2.0.0-p247

Just check if everything went ok:

$ ruby -v
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-linux]

Read this post to switch to Rbenv if you're using RVM

Capistrano

Create the required folder in the server:

mkdir ~/apps

Now configure your app to be deployed:

cd ~/my_app_path
echo "gem 'capistrano'" >> Gemfile
bundle install
capify .

edit the Capfile file if you need, then edit config/deploy.rb. This is a working example:


require "bundler/capistrano"
require "capistrano-rbenv"
set :rbenv_ruby_version, "2.0.0-p247"

set :user, "server_username"
set :application, "my_app"
set :deploy_to, "/home/#{user}/apps/#{application}"
set :deploy_via, :remote_cache

set :use_sudo, false
set :scm, :git
set :repository,  "your_app_git_repo"

default_run_options[:pty] = true
set :ssh_options, { forward_agent: true }

server "my_server.my_domain", :web, :app, :db, primary: true

set :branch, "master"
set :rails_env, "production"

after "deploy", "deploy:cleanup" # keep only the last 5 releases

# Daemontools start/stop
namespace :deploy do
  %w[start stop restart].each do |command|
    desc "#{command} unicorn server"
    task command, roles: :app, except: {no_release: true} do
      if command == "start"
        sudo "/usr/bin/svc -u /etc/service/my_app"
      elsif command == "stop"
        sudo "/usr/bin/svc -d /etc/service/my_app"
      else
        sudo "/usr/bin/svc -t /etc/service/my_app"
      end
    end
  end

  task :setup_config, roles: :app do
    run "mkdir -p #{shared_path}/config"
  end
  after "deploy:setup", "deploy:setup_config"

  task :symlink_config, roles: :app do
    run "ln -nfs #{shared_path}/config/database.yml #{release_path}/config/database.yml"
  end
  after "deploy:finalize_update", "deploy:symlink_config"

  desc "Make sure local git is in sync with remote."
  task :check_revision, roles: :web do
    unless `git rev-parse HEAD` == `git rev-parse origin/#{branch}`
      puts "WARNING: HEAD is not the same as origin/#{branch}"
      puts "Run `git push` to sync changes."
      exit
    end
  end
  before "deploy", "deploy:check_revision"
end

You can create the required folders with:

cap deploy:setup

cd ~/apps/my_app/shared
mkdir config logs pids sockets

in the config folder create a database.yml file with the rails production environment configurations.

Unicorn

Add the unicorn gem to the rails app:

cd ~/my_app_path
echo "gem 'unicorn'" >> Gemfile
bundle install

Add the unicorn configuration in the shared/config/unicorn.rb file (in the server):


worker_processes 2
working_directory "/home/my_user/apps/my_app/current" # available in 0.94.0+
listen "/home/my_user/apps/my_app/shared/sockets/my_app.sock", :backlog => 64
timeout 30
pid "/home/my_user/apps/my_app/shared/pids/unicorn.pid"
stderr_path "/home/my_user/apps/my_app/shared/log/unicorn.stderr.log"
stdout_path "/home/my_user/apps/my_app/shared/log/unicorn.stdout.log"

preload_app true
GC.respond_to?(:copy_on_write_friendly=) and
  GC.copy_on_write_friendly = true

before_fork do |server, worker|
  defined?(ActiveRecord::Base) and
    ActiveRecord::Base.connection.disconnect!
end

after_fork do |server, worker|
  defined?(ActiveRecord::Base) and
    ActiveRecord::Base.establish_connection
end

To launch unicorn I create the ~/service folder. There I create a folder for each project. So:

mkdir -p ~/service/my_app

Then the required files.

~/service/my_app/run (must be executable)


#!/bin/bash

exec su - my_user -c '/home/my_user/service/load_my_app.sh bundle exec unicorn_rails -E production -c /home/my_user/apps/my_app/shared/config/unicorn.rb'
# If you want to launch unicorn manually use te line below instead of the line above (use sudo!). Useful for debugging
# exec su - my_user -c '/home/my_user/service/load_my_app.sh bundle exec unicorn_rails -E production -l /home/my_user/apps/my_app/shared/sockets/my_app.sock'

~/service/load_my_app.sh


#!/bin/bash

export RAILS_ENV="production"
export PATH="$HOME/.rbenv/bin:$PATH"
eval "$(rbenv init -)"
cd /home/my_user/apps/my_app/current/
exec $@

As pointed in the comment, you can use the run file to test the app, just modify the file then launch it as root:

cd ~/service/my_app
sudo ./run

You'll see the familiar unicorn startup process, then it will listen for connections in the given socket.

That's it, now jump to supervise

Daemontools

Install the required packages:

sudo apt-get install daemontools daemontools-run

After this command you'll have the svc executable. Before using it, create the symbolic link in the /etc/service folder:

cd /etc/service
sudo ln -s /home/my_user/service/my_app

Supervise automatically launches, at server sturtup, the run executable in the folders present in /etc/service/

To manually startup the app, use svc:

sudo svc -u /etc/service/my_app

This is the same command used by capistrano during deploy (se configuration above).

Nginx

If everything went as expected, the rails app is running and listening for connections in the unix socket at /home/my_user/apps/my_app/shared/sockets/my_app.sock. Now configure Nginx to use that socket.

/etc/nginx/sites-available/www.my_app.my_domain


upstream backend_my_app {
  server unix:/home/my_user/apps/my_app/shared/sockets/my_app.sock fail_timeout=0;
}

server {
	listen [::]:80;

  client_max_body_size 4G;
  keepalive_timeout 5;

  try_files $uri/index.html $uri.html $uri @app;

	root /home/my_user/apps/my_app/current/public/;
	index index.html index.htm;

	server_name my_app.my_domain www.my_app.my_domain;

  location @app {
    gzip_static on;
    proxy_pass http://backend_my_app;
    proxy_redirect off;

    proxy_set_header        Host    $host;
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    root /home/my_user/apps/my_app/current/public/;
    index  index.html index.htm;
  }

  location ~* ^/font.+\.(svg|ttf|woff|eot)$ {
    root /home/my_user/apps/my_app/current/public/;
  }

  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   /var/www/nginx-default;
  }

  access_log  /var/log/nginx/access.log;
  error_log  /var/log/nginx/error.log;
}

Symlink this file in /etc/nginx/sites-enabled/ and restart nginx, your app should be online.

When you'll deploy a new version of the app, Capistrano will require the sudo password to send a TERM signal to supervise, which will restart the rails app.

That's it, it seems a lot of configuration (and maybe is) but it works great and there are very little differences between the projects, so CTRL-C+CTRL-V works great! :)