Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MiniProfiler's Built in route is returning 404 on production #462

Open
yuta17 opened this issue Sep 9, 2020 · 8 comments
Open

MiniProfiler's Built in route is returning 404 on production #462

yuta17 opened this issue Sep 9, 2020 · 8 comments
Labels
bug

Comments

@yuta17
Copy link

yuta17 commented Sep 9, 2020
edited

I want to use built in route on production.

But /rack-mini-profiler/requests route is returning 404. Any ideas?

It's running on Ruby on Rails.

# Gemfile
gem 'rack-mini-profiler'
# config/initializers/rack_mini_profiler.rb

# When in whitelist mode, the following lines are not reached.
# https://github.com/MiniProfiler/rack-mini-profiler/blob/master/lib/mini_profiler/profiler.rb#L347-L355
Rack::MiniProfiler.config.authorization_mode = :allow_all
@coreypmurphy
Copy link

Running a rails 5, ruby 2.6 API that returns JSON to React frontend.

Experiencing similar behavior, however setting the authorization_mode to ":allow_all" in the initializer works for me.

Using ":whitelist" should enforce (per the docs) whitelisting on a per controller/action basis when running in production env. I'm attempting to control access to profiling using the recommended approach of a "before_action" in the application controller which authorizes the profile request if the current_user is an admin. Production env returns a 404 when accessing the "/rack-mini-profiler/requests" route.

Summary:

:whitelist option in the initializer, used in conjunction with a before_action to allow access is not working as expected in production env and returns a 404 for the built in profiling route.

@SamSaffron
Copy link
Member

@OsamaSayegh any ideas about what is going on here.

@jules2689
Copy link

jules2689 commented Dec 26, 2020
edited

I am also seeing this on a Rails 6.1 application, vanilla ERB frontend, Ruby 2.6.
My only config was:

  before_action do
    if Rails.env.development? || current_user&.admin?
      Rack::MiniProfiler.authorize_request
    end
  end

And in the initializer:

require "rack-mini-profiler"
Rack::MiniProfilerRails.initialize!(Rails.application)

if Rails.env.production?
  redis_url = ENV["REDISCLOUD_URL"] || ENV["REDIS_URL"]
  Rack::MiniProfiler.config.storage_options = { url: redis_url }
  Rack::MiniProfiler.config.storage = Rack::MiniProfiler::RedisStore
end

This is on Heroku. In another issue I saw that changing to filestore helped. The 404 went away, but so did rack profiler 🙃

@OsamaSayegh
Copy link
Collaborator

@yuta17 @coreypmurphy @jules2689 sorry for the late response here. I have a question for you: if you visit any route of your application, does Mini Profiler's speed badge show up at all? In other words, is it only the /rack-mini-profiler/requests route that responds with 404? If the speed badge does show up, can you try immediately visiting the /rack-mini-profiler/requests route and see if it works?

@jules2689
Copy link

jules2689 commented Jan 4, 2021
edited

It had been showing up for me somewhat sporadically @OsamaSayegh, but I ended up removing it from my project for now. I can try adding it back in the near future though

@summera
Copy link

summera commented Jan 8, 2021
edited

Any update on this? I'm seeing the same thing. @OsamaSayegh I'm configuring this with :whitelist locally and to answer your questions:

does Mini Profiler's speed badge show up at all?

Nope, not with authorization_mode set to :whitelist which is causing the response to retrieving the JS (http://localhost:3000/mini-profiler-resources/includes.js) to be a 404 for some reason.

is it only the /rack-mini-profiler/requests route that responds with 404? If the speed badge does show up, can you try immediately visiting the /rack-mini-profiler/requests route and see if it works?

Opening the JS (http://localhost:3000/mini-profiler-resources/includes.js) in a new tab works but for some reason the rails app client gets a 404 when loading a rails view.

@sergiopatricio
Copy link

Also bumped into this when running some tests. My understanding is that the code for /rack-mini-profiler/requests is never reached because the request itself is not being profiled.

As explained in https://github.com/MiniProfiler/rack-mini-profiler#access-control-in-non-development-environments, by default profiling needs to be enabled per request (when authorization_mode is allow_authorized, the default in production env). And I think there's no way of enabling it for /rack-mini-profiler/requests (with the current code).

My solution for this was to create my own blank page, which was also under internal authentication, and ensure Rack::MiniProfiler.authorize_request was called.

Another thing to consider is that with allow_authorized there's some filtering associated with the __profilin cookie. Initially, I was not seeing the results from my API frontend, I had to ensure that the API client was sending the same cookie I had in my custom blank page.

@nateberkopec
Copy link
Collaborator

I think @sergiopatricio has explained the issue.

To resolve this issue:

We should implement a better way for users who only use /rack-mini-profiler/requests to authorize this request when authorization_mode is allow_authorized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@SamSaffron @coreypmurphy @nateberkopec @sergiopatricio @summera @jules2689 @yuta17 @OsamaSayegh