using text_field_with_auto_complete and form_authenticity_token

Rails 2.0 introduced protection for Cross-site request forgery (CSRF). This is turned on by default in your Rails applications. However, many developers are turning off this valuable protection rather than making the changes necessary to use it. This seems the same to me as leaving your door unlocked while your friend visits because cutting keys is hard. Case in point: text_field_with_auto_complete

You know you have run into the new CSRF protection when you see this error in your Rails application:

ActionController::InvalidAuthenticityToken

This is the point where you Google the error and receive one of the following pieces of advice:

1. Turn off RequestForgeryProtection all together

# add the following line to your application.rb or one of your
# environment.rb files. why not production? (sarcasm)
config.action_controller.allow_forgery_protection = false

2. Turn off RequestForgeryProtection for just one controller

skip_before_filter :verify_authenticity_token

3. Turn off RequestForgeryProtection for just one action.

protect_from_forgery :except => :attack_me

So let’s see how easy it is to utilize this new feature!

I was working with the text_field_with_auto_complete in a pretty basic form:

For those of you who aren’t familiar with this there is a nice post on the Rails Wiki

When I tried to perform my auto complete I received the ActionController::InvalidAuthenticityToken error.

Why? Because basically my Ajax request did not include a security token that RequestForgeryProtection uses to validate my request is coming from the right place. All you need to do is add this token to the parameters sent with your request. Rails makes this easy with the helper: form_authenticity_token. The token name RequestForgeryProtection will be looking for is: authenticity_token.

So let’s add this to our text_field_with_auto_complete:

Now when I performed my auto complete it worked flawlessly! Now to refactor that string… any suggestions?

Update August 25, 2008

Learned two things working with this…

1. It’s automatically doing a POST, so by changing the method to GET I can avoid having to deal with the authenticity_token.

2. And with that out of the way I don’t need to specify the parameters since by default it will send back the value of the text field.

That’s a lot cleaner!

Learning Ruby on Rails with Heroku Episode 1

Ever since I saw Heroku I wanted to use it for a screencast on learning Ruby on Rails. This weekend I finished the very first episode! This episode is fairly light on Ruby on Rails content because I was so focused on screencasting and learning all about video and audio production for the web.

So take a look and tell me what you think. I used Vimeo for hosting the video. I also produced the video in HD… however I didn’t realize that Vimeo only streams the HD content on their site, not the embedded video. So to view the best possible video you should view it on Vimeo. here is the link. You can make it full screen and enjoy the HD in all its glory.

Please feel free to leave some constructive criticism regarding the screencast. This way I can make some changes before I start pushing this out more regularly.

In this first episode of Learning Ruby on Rails with Heroku:

  1. Introduction
  2. Goal of this screencast series
  3. What is Heroku?
  4. Getting an account
  5. Creating your first Ruby on Rails application
  6. Basic navigation of Heroku


Learning Ruby on Rails with Heroku Episode 1 from Matthew Carriere on Vimeo.

Take it to the next level with the Ruby on Rails console

If you are not using the Rails console while your developing then now is the time to start! I learn best by example, so that’s how I am going to structure this.

Here’s the scenario:

You are writing code against a class and need to determine which attributes you have available to you. In Rails, your attributes are largely driven by the database schema, so you will not see them in the class definition. At this point most developers will take a look at the table in the database and find the column they need, then determine the type of data stored there. There is a better way…

Let’s use the command line.

We start by firing up our Rails application in console mode:
You must be in your Rails application directory to issue this command.

1
script/console

So now what? Well now you have command line access to your entire Rails application! For example, let’s say you have a class named Person (which would map to a people table in the database). You want a new instance of this class? Then issue the following:

1
p = Person.new

Perhaps you want to view a Person from the database:

1
p = Person.find(1)

By default the results are displayed below each command and they are not very friendly, so let’s output them in YAML as it will be much more readable:

1
y p

‘y’ is like calling ‘puts p.to_yaml’ on the resulting value that follows it. There is also a ‘p’ shortcut that is the equivalent of issuing ‘puts’ on the value.

So how does this help with determining attributes? At first glance you may think you have to look at the list of values returned in your YAML command and find what your looking for… no… it gets better. Remember that all Ruby objects inherit certain methods, watch this:

You want to get the methods associated with your object:

1
y p.methods

You can also get the private, public, and protected methods using the following commands:

1
2
3
y p.public_methods
y p.private_methods
y p.protected_methods

So this class could return a huge YAML result which may not seem as efficient as scanning the schema in the database, and you’re right. So let’s get to what we are really looking for using ‘grep':

1
y p.methods.grep /method_name/

This will return any method which contains method_name. You can write pass any regular expression you like into this command and really drill into your class methods, and for help putting those regular expressions together I really like using Rubular a web-based Ruby regular expression editor.

And what about the type of an object?

1
y p.class

This is just a taste of what you can do with the console… I use the console everyday as I develop. I will post some more console tips in future posts!

Running Ruby on Rails with Mongrel Clustering and Apache Proxy

Being a Rails coder is easy, deploying a Rails application can be hard. Through a great deal of effort, we’ll call it blood, sweat and tears, I have put together the following guidance on how to get your Ruby on Rails application up and running behind a Mongrel cluster using Apache Proxy.

Here’s the deal, I am going to install all the necessary applications to get this up and running, so if you have some of these installed on your server already you may just skip ahead, however, if you have any issues with this you may want to read over those sections you skipped and understand why I installed a specific version or what pitfalls I encountered that may be affecting your setup. Also, I am running Ubuntu, so if you are running a different distribution, then the paths to specific configuration files on your system may be different. Let’s get started!

Installing MySQL

Install MySQL using the package manager in Ubuntu:

1
sudo apt-get install mysql-server

After the installation you should be able to run the command mysql or mysqladmin. If you cannot run these then you may have to create symbolic links to these commands or add them to your path.

By default, MySQL only listens on localhost, in order to change that you need to comment out the line which reads: bind-address = 127.0.0.1

Change this by editing the following file on your system:

1
sudo vi /etc/mysql/my.cnf

You can search for text in vi using a forward slash.

You should restart MySQL after making a change to the config file:

1
/etc/init.d/mysql restart

Now verify that MySQL is listening to the network. The output of the following command should show an entry for MySQL:

1
netstat -tap

You need to set a password for the root account of MySQL, otherwise anyone can access it!

1
2
mysqladmin -u root password your_password
mysqladmin -h server_name -u root password your_password

In case it is not clear, your_password should be replaced with a strong password of your choosing.

Installing Ruby

1
apt-get install ruby ri irb

Install Ruby Gems

1
2
3
4
5
cd /tmp
wget http://rubyforge.org/frs/download.php/17190/rubygems-0.9.2.tgz
tar -zxvf rubygems-0.9.2.tgz
cd /rubygems-0.9.2.tgz
ruby setup.rb

Update rubygems

1
2
3
gem update --system
gem update
gem cleanup

Why the two calls to gem update? –system will update the RubyGems itself and without that parameter you will only be updating the gems.

Install Rails

Install Rails using Rubygems:

1
gem install rails

Now let’s test the rails installation:

1
2
3
rails /tmp/railstest
cd /tmp/railstest
./script/server

This will start the default WeBrick web server, so open a web browser to http://localhost:3000 If all is well you will see the Ruby on Rails welcome screen. Once you are finished staring at your success, press CTRL + d to kill the web server.

Install Mongrel

Install the build tools:

1
apt-get install build-essential ruby1.8-dev

Install Mongrel:

1
gem install mongrel mongrel_cluster --include-dependencies

Now let’s test the Mongrel installation:

1
2
cd /tmp/railstest
mongrel_rails start

This will start the Mongrel web server (now default), so open a web browser to http://localhost:3000 If all is well you will see the Ruby on Rails welcome screen… again. Now kill the web server.

Configure Mongrel Rails cluster

Add a user for our mongrel cluster:

1
useradd mongrel

Add the group for our mongrel user:

1
groupadd mongrel

Configure the directory security for your application:

1
chown -R mongrel:mongrel /tmp/railstest

Now we need to configure the Rails cluster for the test application. This command will write a YAML file to the config directory in your Rails application so you will only have to enter all these parameters once. After that, simply firing the command mongrel_rails cluster::start will use this configuration:

1
2
3
cd /tmp/railstest
mongrel_rails cluster::configure -e production 
-p 8000 -N 8 --user mongrel --group mongrel

You can reconfigure by running this command and using different parameters, you can also safely delete the YAML file from your config directory to blow these settings away.

Time to start the cluster:

1
2
cd /tmp/railstest
mongrel_rails cluster::start

You should be able to test your application by going to http://localhost:8000. You could also hit any of the 8 ports you have configured.

Install Apache

We have come to the last part of this lengthy installation. Apache. Now, it must be understood that you MUST install Apache 2.2 or higher. The reason for this is the Apache Proxy Balance Module. This module is required to glue all this together and is ONLY available in Apache 2.2 or higher. I am going to build from source on this one because the current version available to me in the apt-get library is not the sufficient version required.

Download Apache, unpack it, and then change to the directory which contains the unpacked files.

1
2
3
wget http://archive.apache.org/dist/httpd/httpd-2.2.3.tar.gz
tar xvfz httpd-2.2.3.tar.gz
cd httpd-2.2.3

Configure the source tree for compiling Apache on your system:

1
2
3
4
5
6
./configure --prefix=/usr/local/apache2 
--enable-mods-shared=all 
--disable-deflate 
--enable-proxy 
--enable-proxy-balancer 
--enable-proxy-http

Build and install using the following commands:

1
2
make
sudo make install

Start Apache and navigate to your server through a browser. You should see the default Apache homepage.

1
sudo /usr/local/apache2/bin/apachectl start

There are several options for configuring and securing Apache that should be considered before taking this setup into production.

In order to configure Apache to serve your Mongrel cluster you will need to add the following to the Apache conf file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<Proxy balancer://mongrel_cluster>
BalancerMember http://127.0.0.1:8000
BalancerMember http://127.0.0.1:8001
BalancerMember http://127.0.0.1:8002
BalancerMember http://127.0.0.1:8003
BalancerMember http://127.0.0.1:8004
BalancerMember http://127.0.0.1:8005
BalancerMember http://127.0.0.1:8006
BalancerMember http://127.0.0.1:8007
</Proxy>
 
<VirtualHost yourdomain.com:80>
ServerAdmin yourname@yourdomain.com
ServerName  www.yourdomain.com
ServerAlias yourdomain.com
 
# Indexes + Directory Root.
DirectoryIndex test.html
DocumentRoot /tmp/railstest/public/
 
<Directory "/tmp/railstest/public">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
 
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain.com$ [NC]
RewriteRule ^(.*)$ http://www. yourdomain.com$1 [R=301,L]
 
# Check for maintenance file and redirect all requests
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]
 
# Rewrite index to check for static
RewriteRule ^/$ /index.html [QSA]
 
# Rewrite to check for Rails cached page
RewriteRule ^([^.]+)$ $1.html [QSA]
 
# Redirect all non-static requests to cluster
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://mongrel_cluster%{REQUEST_URI} [P,QSA,L]
 
# Logfiles
ErrorLog  /tmp/railstest/log/error.log
CustomLog /tmp/railstest/access.log combined
</VirtualHost>
 
NameVirtualHost yourdomain.com:80

Now, there are 3 pieces to take note of here. First, you need to create a Proxy group for the mongrel cluster we created. Since we created 8 nodes, there are 8 BalancerMembers. Second, you will need a VirtualHost entry for your Rails site (in this case the railstest site we created earlier). And Finally, you have to add the NameVirtualHost entry for your VirtualHost (I can’t tell you how many times I forget that).

That should get you going with a Mongrel Cluster behind Apache Proxy. If you want to setup more than one site, then just create 3 more entries in your Apache conf file. You may want to think about separating the declarations from the main httpd.conf file, but for this example I just wanted to get you going. Have Fun!