Skip to content

Password Protect Sidekiq Monitor #33

New issue
New issue
Open
Open
Password Protect Sidekiq Monitor#33
@AndiLavera

Description

@AndiLavera
AndiLavera
opened on Nov 25, 2020

I found this code in here:

# lib/admin_constraint.rb
class AdminConstraint
  def matches?(request)
    return false unless request.session[:user_id]
    user = User.find request.session[:user_id]
    user && user.admin?
  end
end

# config/routes.rb
require 'sidekiq/web'
require 'admin_constraint'
mount Sidekiq::Web => '/sidekiq', :constraints => AdminConstraint.new

Looks like we can add a column to the user. I can then add 3 users (each of us) to the db. We would each need to jot down our email, password AND USER ID. However, I don't see how this "password" protects us. Looks like anyone can insert a user_id into the session token and bam, they authenticate. I wonder if we could somehow add our pw to that.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions