How can I keep my Heroku application private?

Is there a way that I could keep my application completely private, and only let the developers have access?

When a random user enters the URL, it should be something like a blank page, but when the deve开发者_运维百科lopers enter the URL, they should be able to access the app.

---

My cheap solution has been implementing a before_filter to request an HTTP authentication before every action is executed.

This solution works well along other authentication layers – Devise or others.

USERS = { "user" => "secret" }

before_filter :authenticate

def authenticate
  authenticate_or_request_with_http_digest("Application") do |name|
    USERS[name]
  end
end

Whenever other peers land at yourdomain.heroku.com, they are asked for HTTP authentication, later for other authentication if in place.

---

Now you can also use a Heroku add-on that let's you specify emails of users allowed to access an application and that uses Persona (aka BrowserID) to authenticate users (no site specific password needed).

---

A really simple solution would be to just add a key that can be stored in a cookie on the users machine. This is not a perfect solution as someone could get the key but it gives you basic protection from someone stumbling across your site. You could use a url like http://www.yourdomain.com?access_key=random_string and then add the following to your application controller.

class ApplicationController < ActionController::Base
  before_filter :check_redirect_key

  def check_redirect_key
    if request[:access_key] != 'random_string' && cookies[:access_key] != 'random_string'
      redirect_to "/404.html" 
    elsif request[:access_key] == 'random_string'
      cookies.permanent[:access_key] = 'random_string'
    end
  end

end

This code will check for the access key in either the url or a cookie on the users machine and let them in if it exists in either place. That way once they've accessed the site with the key they can just access the url directly.

---

You could use HTTP basic authentication as an easy way:

Is there a way to set up simple http authentication for an app on heroku?

Not exactly bullet proof but maybe sufficient.

You could also try checking heroku_user and refusing access if it isn't set:

http://blog.heroku.com/archives/2008/1/14/heroku_user/

I can't find much documentation on heroku_user so I don't know if it is still supported.

---

Check out authlogic gem, particularly the Single Access Token feature.

You can return a 404 to anyone who doesn't pass the appropriate single access token as an argument.

---

I built the rack_staging gem to handle this use case for myself, it might be of use for you too.

---

My (also cheap) solution (Django app that uses class based views) is to use SuperUserRequiredMixin in all my class based views like this:

class BlogPostDetailView(SuperuserRequiredMixin, DetailView):
    template_name = "blogpost-detail.html"
    model = BlogPost

Adding / removing this mixin is my way to go about this.