How works, Part I

I thought I’d write about how serves its Ember.js index from its Sinatra.rb API, and how web clients interacts with the back-end once the application is loaded. It started to run a little long so I’ve broken it up into parts. This first chapter will cover some background information on Ember, the web architecture, and how we deploy our Ember index to our stack.

Continue reading

Always set X-Forwarded-Proto


If your Rack application (and probably other types of applications) lives behind a reverse proxy, always set an X-Forwarded-Proto request header. I recently ran into an issue where Rack::Session (which I’m using for an OAuth1.0a server-side login flow) wouldn’t let me set a secure cookie because it didn’t think I was serving a secure web site.

I have forwardfor disabled in my HAproxy config because I’m using PROXY protocol to talk to Varnish. Manually adding the X-Forwarded-Proto header to the request fixed the issue, and now I want those three hours of my life back! Hopefully this comes up in someone else’s frantic googling at some point in the future and saves them a similar headache.

Web site security checklists

There are a tremendous number of things you can do today to make your site more secure, while preserving compatibility with all but the oldest web clients (I’m looking at you, Java 6 and Internet Explorer 6). If you haven’t been keeping up with the state of the art, this includes things like (cue Benny Hill music):

Continue reading

Torii for Ember.js Lightning Talk

The slides for my recent Torii for Ember.js Lightning Talk (it ran a little long, so it was more of a “thunder” talk) are now available to download. They closely follow my post about Ember.js and Torii from September, and indeed the slides link to that post for the code walkthrough. Please let me know in the comments if you have any questions, and of course I’m available to chat in the EmberJS Community Slack team as @mwpmaybe (invite yourself here if you’re not already signed up).

I think there’s a video of my talk, but I understand the quality is not that great. I’ll post it here as soon as possible, assuming it’s not too bad.

Rack::Deflater in Sinatra

“Can I use Rack::Deflater in my Sinatra application?” Yes, absolutely. It’s a piece of Rack middleware and therefore super easy to use:

use Rack::Deflater

Furthermore, the RubyDoc for Rack::Deflater gives a cool little example of how to conditionally enable Rack::Deflater based on the size of the response body:

use Rack::Deflater, :if => lambda {
  |env, status, headers, body| body.length > 512

Unfortunately, this doesn’t work in Sinatra, or at least not on Sinatra 1.4.6, Rack 1.6.4, and Ruby 2.2.3. Why? Well, body is (for some reason) an array, so its length is probably zero (nil body) or one. It also occurs to me that we care more about the byte size of the body than its string length; if you think a 513-byte response is worth compressing, 512 characters encoded in UTF-32 (2,048 bytes) certainly is!

Here’s a modified (and code-golfed) version of the above snippet for Sinatra:

use Rack::Deflater, :if => lambda {
  |*, body|, :+) > 512

Happy deflating!

Easy login sessions with Ember.js and Torii

This is an easy and simple session lifecycle solution pattern for Ember.js 1.13/2.0 using Torii 0.6.0 that I’d like to share. Ember is a framework for building single-page web applications (SPAs) in JavaScript and HTMLBars. Torii abstracts authentication (authn) and authorization (authz) services in Ember and gives you powerful hooks into authn providers (social media login, e.g. Facebook or Twitter, or your company’s internal directory service) and customizable authz adapters (i.e. your application’s backend). It can inject the session object returned by your API into routes and controllers, and protect routes that require authorization.

Continue reading