note.jp

なかなかにショッキングな事が起きたっぽい。んで、Twitterみたら

deviseがip address取れる機能付けてんのが良くない。

— アルフォートおじさん (@joker1007) 2020年8月14日

これが気になったので調べてみた。

Deviseいれる

READMEに書いてあるとおりにやってみる。

/ip_address_leak # rails generate devise:install
Running via Spring preloader in process 12241
      create  config/initializers/devise.rb
      create  config/locales/devise.en.yml
===============================================================================

Depending on your application's configuration some manual setup may be required:

  1. Ensure you have defined default url options in your environments files. Here
     is an example of default_url_options appropriate for a development environment
     in config/environments/development.rb:

       config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }

     In production, :host should be set to the actual host of your application.

     * Required for all applications. *

  2. Ensure you have defined root_url to *something* in your config/routes.rb.
     For example:

       root to: "home#index"
     
     * Not required for API-only Applications *

  3. Ensure you have flash messages in app/views/layouts/application.html.erb.
     For example:

       <p class="notice"><%= notice %></p>
       <p class="alert"><%= alert %></p>

     * Not required for API-only Applications *

  4. You can copy Devise views (for customization) to your app by running:

       rails g devise:views
       
     * Not required *

===============================================================================

んで、development.rbの編集

diff --git a/config/environments/development.rb b/config/environments/development.rb
index 698f159..392c0bd 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -28,6 +28,8 @@ Rails.application.configure do
   # Store uploaded files on the local file system (see config/storage.yml for options).
   config.active_storage.service = :local
 
+  config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
+
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 

次に、rails generate

/ip_address_leak # rails generate devise User
Running via Spring preloader in process 12271
Deprecation warning: Expected boolean default value for '--orm'; got :active_record (string).
This will be rejected in the future unless you explicitly pass the options `check_default_type: false` or call `allow_incompatible_default_type!` in your code
You can silence deprecations warning by setting the environment variable THOR_SILENCE_DEPRECATION.
      invoke  active_record
      create    db/migrate/20200814154332_devise_create_users.rb
      create    app/models/user.rb
      insert    app/models/user.rb
       route  devise_for :users

/ip_address_leak # rails db:migrate
== 20200814154332 DeviseCreateUsers: migrating ================================
-- create_table(:users)
   -> 0.0129s
-- add_index(:users, :email, {:unique=>true})
   -> 0.0062s
-- add_index(:users, :reset_password_token, {:unique=>true})
   -> 0.0052s
== 20200814154332 DeviseCreateUsers: migrated (0.0246s) =======================

Userを見てみる

/ip_address_leak # bundle exec rails c
Running via Spring preloader in process 51
Loading development environment (Rails 6.0.3.2)
irb(main):001:0> User.last
  User Load (0.8ms)  SELECT "users".* FROM "users" ORDER BY "users"."id" DESC LIMIT $1  [["LIMIT", 1]]
=> nil
irb(main):002:0> User
=> User(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, created_at: datetime, updated_at: datetime)

あれ、特にIPアドレスは持ってないな・・・

生成されていたマイグレーションファイルを見てみる

/ip_address_leak # cat db/migrate/20200814154332_devise_create_users.rb 
# frozen_string_literal: true

class DeviseCreateUsers < ActiveRecord::Migration[6.0]
  def change
    create_table :users do |t|
      ## Database authenticatable
      t.string :email,              null: false, default: ""
      t.string :encrypted_password, null: false, default: ""

      ## Recoverable
      t.string   :reset_password_token
      t.datetime :reset_password_sent_at

      ## Rememberable
      t.datetime :remember_created_at

      ## Trackable
      # t.integer  :sign_in_count, default: 0, null: false
      # t.datetime :current_sign_in_at
      # t.datetime :last_sign_in_at
      # t.inet     :current_sign_in_ip
      # t.inet     :last_sign_in_ip

      ## Confirmable
      # t.string   :confirmation_token
      # t.datetime :confirmed_at
      # t.datetime :confirmation_sent_at
      # t.string   :unconfirmed_email # Only if using reconfirmable

      ## Lockable
      # t.integer  :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
      # t.string   :unlock_token # Only if unlock strategy is :email or :both
      # t.datetime :locked_at


      t.timestamps null: false
    end

    add_index :users, :email,                unique: true
    add_index :users, :reset_password_token, unique: true
    # add_index :users, :confirmation_token,   unique: true
    # add_index :users, :unlock_token,         unique: true
  end
end

なんかTrackableのところがコメントアウトされていて、デフォルトではIPアドレスは記録されない。

      ## Trackable
      # t.integer  :sign_in_count, default: 0, null: false
      # t.datetime :current_sign_in_at
      # t.datetime :last_sign_in_at
      # t.inet     :current_sign_in_ip
      # t.inet     :last_sign_in_ip

IPアドレスはさすがにデフォルトでは記録しない

github.com

そりゃそうか。

でもこれ有効にしてた古いRailsアプリが、うっかり user.to_json とかやったら漏れるよね、うん・・・

明日は我が身・・・