Skip to content

Move browser check to the sessions controller #1692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
flavorjones wants to merge 1 commit into from
Closed

Move browser check to the sessions controller #1692

flavorjones wants to merge 1 commit into from

Conversation

@flavorjones
Copy link
Member

@flavorjones flavorjones commented Nov 22, 2025

The check is unnecessary once users have logged in, and its presence on some unauthenticated pages is blocking things like:

  • image proxy requests for user avatars (emails)
  • opengraph requests for public pages (social media)

ref: https://app.fizzy.do/5986089/cards/1775
ref: https://app.fizzy.do/5986089/cards/1740

cc @jzimdars

@flavorjones
Move browser check to the sessions controller
6179c95 
The check is unnecessary once users have logged in, and its presence
on some unauthenticated pages is blocking things like:

- image proxy requests for user avatars (emails)
- opengraph requests for public pages (social media)

ref: https://app.fizzy.do/5986089/cards/1775
ref: https://app.fizzy.do/5986089/cards/1740
monorkin
monorkin reviewed Nov 22, 2025
View reviewed changes
app/controllers/sessions_controller.rb
@@ -1,4 +1,6 @@
class SessionsController < ApplicationController
allow_browser versions: :modern
Copy link
Contributor

@monorkin monorkin Nov 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this is the right approach.
People can also transfer their sessions or join through a join code which would skip this controller.

allow_browser should already allow bots through - https://github.com/rails/rails/blob/8aebd0b50738ed8709ae80ef5aa839824a8f2b13/actionpack/lib/action_controller/metal/allow_browser.rb#L98

This might be a bug in UserAgent, or maybe Google changed their bots?
Or maybe Cloudflare blocks the bot?

Copy link
Member Author

@flavorjones flavorjones Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UserAgent does not consider the image proxy to be a bot. It's bot check is very rudimentary and the maintainer has resisted expanding it in the couple of PRs I looked at.

Cloudflare is not blocking the bot, I pasted a screenshot of the 406 in one of the cards.

Copy link
Member Author

@flavorjones flavorjones Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put this branch in staging last night and now avatars are working as expected in emails from staging.

@dhh
Copy link
Member

dhh commented Nov 22, 2025

This is the default location for this setting in Rails. So I'd rather see if there's a way we can fix the check so it allows these bots through.

@flavorjones
Copy link
Member Author

flavorjones commented Nov 22, 2025

@dhh there is a 10-year-old pull request open on user agent to add support for google image proxy:

gshutler/useragent#33

The bot check is very rudimentary and not easily extensible by rails without monkeypatching:

https://github.com/gshutler/useragent/blob/680915aa9e271592fac15d9853da1ff5e589da06/lib/user_agent/browsers/base.rb#L67-L90

I will open a pull request upstream with another approach, but at this point I do think we need to do what we need to do for a good launch.

@flavorjones
Copy link
Member Author

flavorjones commented Nov 22, 2025
edited
Loading

Looks like we've already forked useragent (https://github.com/basecamp/useragent), which is used in HEY, BC3, and Writebook, to handle:

  • Baidu
  • Edge
  • HeadlessChrome

I guess I'll also try to update our fork, too.

@flavorjones
Copy link
Member Author

flavorjones commented Nov 25, 2025

Superseded by #1726 and changes applied to our useragent fork.

@flavorjones flavorjones deleted the flavorjones/allow-avatar-requests branch November 25, 2025 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@monorkin monorkin monorkin left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@flavorjones @dhh @monorkin