Add app authorization for each request

Author: rhannequin

.gitignore

@@ -21,3 +21,6 @@
 /gems/*
 /bin/*
 
+
+# Ignore application configuration
+/config/application.yml

Gemfile

@@ -13,6 +13,9 @@ gem 'bcrypt-ruby', "~> 3.0.0"
 # JavaScript runtime
 gem 'therubyracer'
 
+# Secure configuration file for Open-Source projects
+gem "figaro"
+
 group :production do
   gem 'pg'
 end

Gemfile.lock

@@ -51,6 +51,9 @@ GEM
     faker (1.2.0)
       i18n (~> 0.5)
     ffi (1.9.0)
+    figaro (0.7.0)
+      bundler (~> 1.0)
+      rails (>= 3, < 5)
     formatador (0.2.4)
     guard (2.0.3)
       formatador (>= 0.2.4)
@@ -164,6 +167,7 @@ DEPENDENCIES
   email_validator
   factory_girl_rails
   faker
+  figaro
   guard-rspec
   launchy
   pg

README.md

@@ -0,0 +1,29 @@
+# LaboWebESGI API
+
+## Requirements
+
+- Ruby 2
+- Rails 4 `gem install rails`
+- RSpec `gem install rspec`
+- Bundler `gem install bundler`
+
+## Development
+
+    bundle install
+    rake db:migrate
+    rails s -p 5000
+
+## Tests
+
+    rake db:migrate db:test:prepare
+    rspec spec
+
+Make sure you have created the file `config/application.yml` with the following content:
+
+    # Add application configuration variables here, as shown below.
+
+    AUTHORIZED_APPS:
+      - 127.0.0.1
+      - localhost
+
+It will enable your client application in development mode to access to the API.

README.rdoc

@@ -1,10 +1,18 @@
 class ApplicationController < ActionController::API
   before_action :allow_cors
+  before_action :is_an_authenticated_app?
 
   def allow_cors
     headers["Access-Control-Allow-Origin"] = "*"
     headers["Access-Control-Allow-Methods"] = %w{GET POST PUT DELETE}.join(",")
     headers["Access-Control-Allow-Headers"] =
       %w{Origin Accept Content-Type X-Requested-With X-CSRF-Token}.join(",")
   end
+
+  def is_an_authenticated_app?
+    can_access = ENV['AUTHORIZED_APPS'].include? request.remote_host
+    unless can_access
+      render json: {error: 'This is not an authenticated app'}, status: 403
+    end
+  end
 end