search

stevepolitodesign / rails-authentication-from-scratch

A step-by-step guide on how to build your own authentication system in Rails from scratch.
https://stevepolito.design/blog/rails-authentication-from-scratch/
222 stars 32 forks source link

Confused about `request.local?` #88

Open matt17r opened 2 years ago

matt17r commented 2 years ago

Hi Steve,

I'm confused about the check for request.local? in store_location.

The reason I ask is that redirecting to the originally requested URL works in dev but not production on Heroku. I did some puts debugging and it turns out the request is coming from an internal (10.x.x.x) address but not from LOCALHOST.

******************************
store_location:
  session[:return_to] = 
  request.get? = true
  request.local? = false
  request.headers[:REMOTE_ADDR] = 10.1.35.236
******************************

You explain in your post:

We also call request.local? to ensure it was a local request. This prevents redirecting to an external application.

Intuitively I would expect the request to always be from a remote IP address in production (e.g. the one given to me by my ISP) but clearly I'm missing something. Is the request being forwarded or proxied from the rack web server maybe? Is that why I'm seeing 10.1.35.236 in the example above?

And do other hosting providers usually run them on the same box maybe? Is that why the check for local? works for you but fails for me?

Thanks for the great tutorial and thanks in advance for any tips or pointers!

Matt

stevepolitodesign commented 2 years ago

@matt17r thank you for opening this issue! I just tested this, and you're absolutely right. The call to local is not necessary, and will not work as expected in production.

I misunderstood what this method did, and thought it returned true if the request came from the application.