wwwhisper is an add-on for authorizing access to Node.js, Ruby on Rails and other Ruby Rack based applications on Heroku.
The add-on provides a web interface to specify emails of users that are allowed to access your application. Each visitor is presented with a login prompt, Persona is used to smoothly and securely prove that a visitor owns an allowed email. Persona works out of a box with any modern browser. It removes the need for site-specific passwords, making passwords management a non-issue for you.
Integration with wwwhisper service is provided via Ruby Rack and Node.js Connect middlewares. This minimizes integration cost, there is no need to modify your application code and explicitly call wwwhisper API.
You can visit a demo site authorized by the wwwhisper add-on. The site is configured to allow everyone access, but still require authorization.
wwwhisper can be attached to a Heroku application via the CLI.
$ heroku addons:add wwwhisper:starter[or basic or plus] [--admin=your_email]
--admin is an optional parameter that specifies who should be
allowed to initially access the application. If --admin is not
given, or if the add-on is provisioned via Heroku web UI, your Heroku
application owner email is used. Later you can use the wwwhisper admin
site to grant access to others.
Once the add-on has been added a WWWHISPER_URL setting will be
available in the app configuration and will contain the URL to
communicate with the wwwhisper service. This can be confirmed using the
heroku config:get command.
$ heroku config:get WWWHISPER_URL
https://user:password@domain
All Ruby applications need to add the following entry into their
Gemfile.
gem 'rack-wwwhisper', '~> 1.0'And then update application dependencies with bundler.
$ bundle install
###Enabling wwwhisper middleware for a Rails application
For a Rails application put the following line at the end of
config/environments/production.rb.
config.middleware.insert 0, "Rack::WWWhisper"The line makes wwwhisper the first middleware in the Rack middleware chain. You can take a look at a commit that enabled wwwhisper for a Rails based Typo blog.
###Enabling wwwhisper middleware for other Rack based application
For other Rack based applications add the following two lines to the
config.ru.
require 'rack/wwwhisper'
use Rack::WWWhisperYou can take a look at a commit that enabled wwwhisper for a Sinatra application.
Order of Rack middleware matters. Authorization should be performed early, before any middleware that produces sensitive responses is invoked. Rails allows to check middleware order with a command.
RAILS_ENV=production; foreman run rake middleware
wwwhisper by default inserts an iframe to HTML responses. The iframe contains an email of a currently logged in user and a logout button. If Rack is configured to compress responses, compression middleware should be put before wwwhisper, otherwise the iframe won't be inserted.
$ git commit -m "Enable wwwhisper authorization" -a
$ git push heroku master
Visit https://yourapp-name.herokuapp.com/ you should be presented
with a login page. Sign-in with your email. Visit
https://yourapp-name.herokuapp.com/wwwhisper/admin/ to specify which
locations can be accessed by which visitors and which (if any) should
be open to everyone.
It is usually convenient to disable wwwhisper authorization for a
local development environment. If your application uses a separate
config file for development (for example
config/environments/development.rb in case of Rails) you don't need
to do anything, otherwise you need to set WWWHISPER_DISABLE=1
environment variable.
If you use Foreman to start a local server, execute the following command in the application directory.
$ echo WWWHISPER_DISABLE=1 >> .env
If you don't use Foreman, execute.
$ export WWWHISPER_DISABLE=1
To use the wwwhisper service locally, use the wwwhisper admin to allow
logins from a local address. Go to the Site settings menu and add
the local address (for example http://localhost:8080) to the list of
allowed addresses. Next, copy the WWWHISPER_URL variable from the
Heroku config to your local config. If you use Foreman, execute.
$ echo WWWHISPER_URL=`heroku config:get WWWHISPER_URL` >> .env
warning Credentials and other sensitive configuration values should not be committed to source-control. In Git exclude the .env file with:
echo .env >> .gitignore.
If you don't use Foreman, execute.
$ export WWWHISPER_URL=`heroku config:get WWWHISPER_URL`
wwwhisper works with Node.js applications that use Express or Connect
frameworks. Node version 0.10.x is required. To configure the add-on,
add the following line into the dependencies section of the
package.json.
"connect-wwwhisper": "*",Next, add the following lines to the application main source file.
var wwwhisper = require('connect-wwwhisper');
// app holds a reference to express or connect framework, it
// may be named differently in your source file.
app.use(wwwhisper());
// Alternatively, if you don't want wwwhisper to insert
// a logout iframe into HTML responses use.
app.use(wwwhisper(false));Make sure wwwhisper middleware is put before any middleware that produces sensitive responses. You can take a look at a commit that enabled wwwhisper for an Express application.
wwwhisper can be removed via the CLI.
warning This will destroy all associated data and cannot be undone!
$ heroku addons:remove wwwhisper
wwwhisper service stores emails of users allowed to access your application. The emails are used ONLY to authorize access to the application. The service does not send any messages to the email addresses, emails are not disclosed to third parties.
wwwhisper does not store information which users accessed which locations of your application.
wwwhisper support and runtime issues should be submitted via one of the Heroku Support channels. Please CC [email protected].
Any non-support related issues or product feedback is welcome at [email protected]. Issues and feature requests related to wwwhisper project in general and not limited to the add-on can be also reported via github.
- For maximum security access wwwhisper protected applications over HTTPS.
- Your application can retrieve an email of authenticated user from a
Rack environment variable
REMOTE_USER. - wwwhisper authorizes access to content served by a Heroku application. If you put sensitive content on external servers that do not require authorization (for example public Amazon S3 bucket), wwwhisper won't be able to restrict access to such content.
- wwwhisper is open source, see [the project repository] (https://github.com/wrr/wwwhisper) for a detailed explanation of how it works.