なかなかにショッキングな事が起きたっぽい。んで、Twitterみたら
deviseがip address取れる機能付けてんのが良くない。
— アルフォートおじさん (@joker1007) 2020年8月14日
これが気になったので調べてみた。
Deviseいれる
READMEに書いてあるとおりにやってみる。
/ip_address_leak # rails generate devise:install Running via Spring preloader in process 12241 create config/initializers/devise.rb create config/locales/devise.en.yml =============================================================================== Depending on your application's configuration some manual setup may be required: 1. Ensure you have defined default url options in your environments files. Here is an example of default_url_options appropriate for a development environment in config/environments/development.rb: config.action_mailer.default_url_options = { host: 'localhost', port: 3000 } In production, :host should be set to the actual host of your application. * Required for all applications. * 2. Ensure you have defined root_url to *something* in your config/routes.rb. For example: root to: "home#index" * Not required for API-only Applications * 3. Ensure you have flash messages in app/views/layouts/application.html.erb. For example: <p class="notice"><%= notice %></p> <p class="alert"><%= alert %></p> * Not required for API-only Applications * 4. You can copy Devise views (for customization) to your app by running: rails g devise:views * Not required * ===============================================================================
んで、development.rbの編集
diff --git a/config/environments/development.rb b/config/environments/development.rb index 698f159..392c0bd 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -28,6 +28,8 @@ Rails.application.configure do # Store uploaded files on the local file system (see config/storage.yml for options). config.active_storage.service = :local + config.action_mailer.default_url_options = { host: 'localhost', port: 3000 } + # Don't care if the mailer can't send. config.action_mailer.raise_delivery_errors = false
次に、rails generate
/ip_address_leak # rails generate devise User Running via Spring preloader in process 12271 Deprecation warning: Expected boolean default value for '--orm'; got :active_record (string). This will be rejected in the future unless you explicitly pass the options `check_default_type: false` or call `allow_incompatible_default_type!` in your code You can silence deprecations warning by setting the environment variable THOR_SILENCE_DEPRECATION. invoke active_record create db/migrate/20200814154332_devise_create_users.rb create app/models/user.rb insert app/models/user.rb route devise_for :users /ip_address_leak # rails db:migrate == 20200814154332 DeviseCreateUsers: migrating ================================ -- create_table(:users) -> 0.0129s -- add_index(:users, :email, {:unique=>true}) -> 0.0062s -- add_index(:users, :reset_password_token, {:unique=>true}) -> 0.0052s == 20200814154332 DeviseCreateUsers: migrated (0.0246s) =======================
Userを見てみる
/ip_address_leak # bundle exec rails c Running via Spring preloader in process 51 Loading development environment (Rails 6.0.3.2) irb(main):001:0> User.last User Load (0.8ms) SELECT "users".* FROM "users" ORDER BY "users"."id" DESC LIMIT $1 [["LIMIT", 1]] => nil irb(main):002:0> User => User(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, created_at: datetime, updated_at: datetime)
あれ、特にIPアドレスは持ってないな・・・
生成されていたマイグレーションファイルを見てみる
/ip_address_leak # cat db/migrate/20200814154332_devise_create_users.rb # frozen_string_literal: true class DeviseCreateUsers < ActiveRecord::Migration[6.0] def change create_table :users do |t| ## Database authenticatable t.string :email, null: false, default: "" t.string :encrypted_password, null: false, default: "" ## Recoverable t.string :reset_password_token t.datetime :reset_password_sent_at ## Rememberable t.datetime :remember_created_at ## Trackable # t.integer :sign_in_count, default: 0, null: false # t.datetime :current_sign_in_at # t.datetime :last_sign_in_at # t.inet :current_sign_in_ip # t.inet :last_sign_in_ip ## Confirmable # t.string :confirmation_token # t.datetime :confirmed_at # t.datetime :confirmation_sent_at # t.string :unconfirmed_email # Only if using reconfirmable ## Lockable # t.integer :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts # t.string :unlock_token # Only if unlock strategy is :email or :both # t.datetime :locked_at t.timestamps null: false end add_index :users, :email, unique: true add_index :users, :reset_password_token, unique: true # add_index :users, :confirmation_token, unique: true # add_index :users, :unlock_token, unique: true end end
なんかTrackableのところがコメントアウトされていて、デフォルトではIPアドレスは記録されない。
## Trackable # t.integer :sign_in_count, default: 0, null: false # t.datetime :current_sign_in_at # t.datetime :last_sign_in_at # t.inet :current_sign_in_ip # t.inet :last_sign_in_ip
IPアドレスはさすがにデフォルトでは記録しない
そりゃそうか。
でもこれ有効にしてた古いRailsアプリが、うっかり user.to_json
とかやったら漏れるよね、うん・・・
明日は我が身・・・