RubyGems - dbviewer - Versions diffs - 0.3.4 → 0.3.5 - Mend

dbviewer 0.3.4 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/README.md +56 -19
data/app/controllers/dbviewer/application_controller.rb +8 -4
data/lib/dbviewer/configuration.rb +2 -1
data/lib/dbviewer/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c368abfe3b3131b1df3b3234e1e560c2cb5f715c035680d3848ff5ff07d99cc3
-  data.tar.gz: 7f9b27e43d86b0181f14d9deceebcb1d6624b22cb51885ab5c3b929814cb97f9
+  metadata.gz: 648be97f775ec9c5d18dabf9ebe90e164d760fde2b1e3c9c9ff2442eb6dba9fe
+  data.tar.gz: f0510fd50eabd5ba176d99e9dd3b66d074d1ccaf6cf15aa43a82beec0e45e923
 SHA512:
-  metadata.gz: 05f35000d4c57ec2e17e0c0fe56d49520add9f0c061debc25f5f6407ec1e52ece7a1d4361c0b92d283135492bc78d86890083e9781a30705ebcddc0fce2e58df
-  data.tar.gz: a76035a207c87105f9331dc4246a133da9941a5a9e435133b80254fc0037578bc69b5dbb17cb40113049ba50625d3a81816df118015446af8e9c368127e481c9
+  metadata.gz: 84bdca42e27ed6dbcf2dfdcdb2756558796b0e2ecc727fa46ffe7fd734bf66d21d5fd76c47d9ae632a003292048c78151a412fcc98c6b33954d2f23cd7b71c19
+  data.tar.gz: 9f1204704614413b211b1814c96660656e03579712015152b3323f9dff0d64caaff5b96017cbbe203ed9a77ce15bc23e0e1d9473143edca14824f1380b925a25

data/README.md CHANGED Viewed

@@ -87,13 +87,24 @@ Rails.application.routes.draw do
   # Your application routes...
   # Mount the DBViewer engine
-  if Rails.env.development?
-    mount Dbviewer::Engine, at: "/dbviewer"
-  end
+  mount Dbviewer::Engine, at: "/dbviewer"
+  # The engine can be mounted in any environment when using Basic Authentication
+end
+```
+Configure Basic Authentication in an initializer to secure access (strongly recommended):
+```ruby
+# config/initializers/dbviewer.rb
+Dbviewer.configure do |config|
+  config.admin_credentials = {
+    username: "your_username",
+    password: "your_secure_password"
+  }
 end
 ```
-Then, visit `/dbviewer` in your browser to access the database viewer.
+Then, visit `/dbviewer` in your browser to access the database viewer. You'll be prompted for your username and password.
 ### Rails API-only Applications
@@ -171,6 +182,9 @@ Dbviewer.configure do |config|
   config.query_logging_mode = :memory                # Storage mode for SQL queries (:memory or :file)
   config.query_log_path = "log/dbviewer.log"         # Path for query log file when in :file mode
   config.max_memory_queries = 1000                   # Maximum number of queries to store in memory
+  # Authentication options
+  config.admin_credentials = { username: "admin", password: "your_secure_password" } # Basic HTTP auth credentials
 end
 ```
@@ -209,37 +223,60 @@ DBViewer includes several security features to protect your database:
 - **Query Limits**: Automatic LIMIT clause added to prevent excessive data retrieval
 - **Pattern Detection**: Detection of SQL injection patterns and suspicious constructs
 - **Error Handling**: Informative error messages without exposing sensitive information
+- **HTTP Basic Authentication**: Protect access with username and password authentication
-## 🌱 Production Access (Not Recommended)
+### Basic Authentication
-By default, DBViewer only runs in development or test environments for security reasons. If you need to access it in production (not recommended):
+You can enable HTTP Basic Authentication to secure access to DBViewer:
-1. Set an environment variable with a secure random key:
+```ruby
+Dbviewer.configure do |config|
+  config.admin_credentials = {
+    username: "your_username",
+    password: "your_secure_password"
+  }
+end
+```
-   ```
-   DBVIEWER_PRODUCTION_ACCESS_KEY=your_secure_random_key
-   ```
+When credentials are provided, all DBViewer routes will be protected by HTTP Basic Authentication.
+Without valid credentials, users will be prompted for a username and password before they can access any DBViewer page.
-2. Add an additional constraint in your routes:
+## 🌱 Production Access
+With the addition of Basic Authentication, DBViewer can now be used in any environment including production. We recommend the following for production deployments:
+1. **Always** enable HTTP Basic Authentication with strong credentials:
    ```ruby
-   if Rails.env.production?
-     constraints ->(req) { req.params[:access_key] == ENV["DBVIEWER_PRODUCTION_ACCESS_KEY"] } do
-       mount Dbviewer::Engine, at: "/dbviewer"
-     end
-   else
-     mount Dbviewer::Engine, at: "/dbviewer"
+   Dbviewer.configure do |config|
+     config.admin_credentials = {
+       username: "unique_username",
+       password: SecureRandom.hex(16)  # Generate a strong random password
+     }
    end
    ```
-3. Access the tool with the override parameter:
+2. Mount the engine in your routes file:
+   ```ruby
+   # In any environment, with Basic Auth protection
+   mount Dbviewer::Engine, at: "/dbviewer"
+   ```
+3. Access the tool through your regular application URL:
    ```
    https://yourdomain.com/dbviewer?override_env_check=your_secure_random_key
    ```
 ## 📝 Security Note
-⚠️ **Warning**: This engine is designed for development purposes. It's not recommended to use it in production as it provides direct access to your database contents. If you must use it in production, ensure it's protected behind authentication and use the production access key mechanism with a strong random key.
+⚠️ **Warning**: This engine provides direct access to your database contents, which contains sensitive information. Always protect it with HTTP Basic Authentication by configuring strong credentials as shown above.
+When used in production, ensure:
+- You use long, randomly generated passwords (e.g., with `SecureRandom.hex(16)`)
+- You access DBViewer over HTTPS connections only
+- Access is limited to trusted administrators only
 ## 🤌🏻 Contributing

data/app/controllers/dbviewer/application_controller.rb CHANGED Viewed

@@ -3,14 +3,18 @@ module Dbviewer
     include Dbviewer::DatabaseOperations
     include Dbviewer::ErrorHandling
-    before_action :ensure_development_environment
+    before_action :authenticate_with_basic_auth
     before_action :set_tables
     private
-    def ensure_development_environment
-      unless Rails.env.development? || Rails.env.test? || params[:override_env_check] == ENV["DBVIEWER_PRODUCTION_ACCESS_KEY"]
-        render plain: "DBViewer is only available in development and test environments for security reasons.", status: :forbidden
+    def authenticate_with_basic_auth
+      return unless Dbviewer.configuration.admin_credentials.present?
+      credentials = Dbviewer.configuration.admin_credentials
+      authenticate_or_request_with_http_basic("DBViewer Authentication") do |username, password|
+        ActiveSupport::SecurityUtils.secure_compare(username, credentials[:username]) &
+        ActiveSupport::SecurityUtils.secure_compare(password, credentials[:password])
       end
     end

data/lib/dbviewer/configuration.rb CHANGED Viewed

@@ -31,7 +31,8 @@ module Dbviewer
     # Maximum number of queries to keep in memory
     attr_accessor :max_memory_queries
-    # Admin access credentials (username, password)
+    # Admin access credentials hash with :username and :password keys
+    # @example { username: 'admin', password: 'secret' }
     attr_accessor :admin_credentials
     def initialize

data/lib/dbviewer/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Dbviewer
-  VERSION = "0.3.4"
+  VERSION = "0.3.5"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dbviewer
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.3.5
 platform: ruby
 authors:
 - Wailan Tirajoh