This is a great, solid alternative to CSRF tokens for CSRF protection when we aren't worried about older browsers or other kind of actors doing modifying requests in our app, and could be a good test for future upstreaming to Rails (although there we'd need to continue using CSRF tokens or at least letting people opt out manually). Let's start checking the header and reporting on it when CSRF fails or when it doesn't match the other checks Rails does, and then promote this to be the only way to defend from CSRF.
Fizzy
Setting up for development
First get everything installed and configured with:
bin/setup
If you'd like to load fixtures:
bin/rails db:fixtures:load
And then run the development server:
bin/dev
You'll be able to access the app in development at http://fizzy.localhost:3006
Running tests
For fast feedback loops, unit tests can be run with:
bin/rails test
The full continuous integration tests can be run with:
bin/ci
Tests
Outbound Emails
Development
You can view email previews at http://fizzy.localhost:3006/rails/mailers.
You can enable or disable letter_opener to
open sent emails automatically with:
bin/rails dev:email
Under the hood, this will create or remove tmp/email-dev.txt.
Environments
Fizzy is deployed with Kamal. You'll need to have the 1Password CLI set up in order to access the secrets that are used when deploying. Provided you have that, it should be as simple as bin/kamal deploy to the correct environment.
Beta
Beta is primarily intended for testing product features.
Beta tenant is:
This environment uses local disk for Active Storage.
Staging
Staging is primarily intended for testing infrastructure changes.
This environment uses a FlashBlade bucket for blob storage, and shares nothing with Production. We may periodically copy data here from production.
Production
This environment uses a FlashBlade bucket for blob storage.