Gate the site behind HTTP Basic Auth for pre-release (#33)

kcdragon · claude · web-flow · commit c75dac795d6f · 2026-06-13T00:04:50.000+02:00
The app is deployed but not ready for public release, so add a coarse
shared-password lock in front of the whole site, on top of the existing
session auth.

- ApplicationController runs http_basic_authenticate_with in production
  only, reading credentials from Rails encrypted credentials. The /up
  health check is unaffected (Rails::HealthController doesn't inherit it),
  so Kamal proxy health checks keep working.
- Store the basic_auth username/password in environment-specific
  production credentials (config/credentials/production.yml.enc).
- .kamal/secrets pulls RAILS_MASTER_KEY (the production key) from
  1Password with an env-var fallback.
- Ignore config/credentials/*.key so the production key is never committed.

Co-authored-by: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -40,3 +40,7 @@
 /app/assets/builds/*
 !/app/assets/builds/.keep
 /.idea
+
+# Ignore key files for decrypting credentials and more.
+/config/credentials/*.key
+
diff --git a/.kamal/secrets b/.kamal/secrets
@@ -16,8 +16,9 @@
 # Grab the registry password from ENV
 # KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 
-# Improve security by using a password manager. Never check config/master.key into git!
-RAILS_MASTER_KEY=$(cat config/master.key)
+# Decrypts config/credentials/production.yml.enc. Read the production key from
+# 1Password on the laptop; falls back to the env var if `op` is unavailable.
+RAILS_MASTER_KEY=$(op read "op://Personal/Community Foundations/keys/PRODUCTION" 2>/dev/null || printenv RAILS_MASTER_KEY)
 
 # GHCR personal access token (write:packages/read:packages). Read from 1Password
 # on the laptop; falls back to the env var if `op` is unavailable.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,4 +1,14 @@
 class ApplicationController < ActionController::Base
+  # Pre-release lock: gate the whole site behind a shared HTTP Basic password.
+  # Runs before tenant/session resolution. Production only; the /up health check
+  # is unaffected because Rails::HealthController does not inherit from here.
+  if Rails.env.production?
+    http_basic_authenticate_with(
+      name: Rails.application.credentials.dig(:basic_auth, :username),
+      password: Rails.application.credentials.dig(:basic_auth, :password)
+    )
+  end
+
   include SetCurrentOrganization # resolves Current.organization first
   include Authentication # then resumes the session / Current.user
 
diff --git a/config/credentials/production.yml.enc b/config/credentials/production.yml.enc
@@ -0,0 +1 @@
+97luwAcQGslJIAFEcWNvbdiLnvhLy9ny+kayvBRiXK83C3BtpBFggxRuc2V4uZWeU00+PRBLPN6aQWSk/1wEtRvyl7I5eFRkS7ThCfKc51dJilEm7R2e4ENHV3pN+jQB9oxRIeKE2TYBtIZaMKpmt7bWbvpkN+9qKl0BjnIa0AbkX8/LmAzK5crUsm75HbSaW7f7244WpQ/vjWcuICH8BE+6E4MX0ketNeS9hi3YMD/Ry6vs+oSMTTb4uPT50QugZMfbSz/pLVJHKcnIUtpxmV4ocUOFCSuJOV5ehAuzDRv4au/xwvP+84/pVzenW/a61BShaS0/KziqbFD6BN99du4E4lUkb0yhHxainSIVqB1iBlV38h3iWSerytxSYTJRk7nH1dx9MxGwftdMdbNGMVygHO4HL4ppdEz6sp4=--UBnYSBFV6lXze2Ay--sDdwbw7FX5+HMnpVK/18Aw==

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+97luwAcQGslJIAFEcWNvbdiLnvhLy9ny+kayvBRiXK83C3BtpBFggxRuc2V4uZWeU00+PRBLPN6aQWSk/1wEtRvyl7I5eFRkS7ThCfKc51dJilEm7R2e4ENHV3pN+jQB9oxRIeKE2TYBtIZaMKpmt7bWbvpkN+9qKl0BjnIa0AbkX8/LmAzK5crUsm75HbSaW7f7244WpQ/vjWcuICH8BE+6E4MX0ketNeS9hi3YMD/Ry6vs+oSMTTb4uPT50QugZMfbSz/pLVJHKcnIUtpxmV4ocUOFCSuJOV5ehAuzDRv4au/xwvP+84/pVzenW/a61BShaS0/KziqbFD6BN99du4E4lUkb0yhHxainSIVqB1iBlV38h3iWSerytxSYTJRk7nH1dx9MxGwftdMdbNGMVygHO4HL4ppdEz6sp4=--UBnYSBFV6lXze2Ay--sDdwbw7FX5+HMnpVK/18Aw==`