How to disable auto generated routes by Active Storage

Question

I am upgrading an existing application to Rails 5.2.

Old application is using Paperclip for file storage and I am trying to move that to ActiveStorage.

My app expose an API that allows users to securely upload files (using key/secret pairs to sign requests).

When I installed ActiveStorage I found several new routes

      rails_service_blob GET  /rails/active_storage/blobs/:signed_id/*filename(.:format)                               active_storage/blobs#show
rails_blob_representation GET  /rails/active_storage/representations/:signed_blob_id/:variation_key/*filename(.:format) active_storage/representations#show
       rails_disk_service GET  /rails/active_storage/disk/:encoded_key/*filename(.:format)                              active_storage/disk#show
update_rails_disk_service PUT  /rails/active_storage/disk/:encoded_token(.:format)                                      active_storage/disk#update
     rails_direct_uploads POST /rails/active_storage/direct_uploads(.:format)                                           active_storage/direct_uploads#create

How I can disable those routes to not allow random uploads to my app.

Answer 1

To secure remove all ActiveStorage routes without side effects add this to config/application.rb:

class Application < Rails::Application
   ...
   initializer(:remove_activestorage_routes, after: :add_routing_paths) {|app|
      app.routes_reloader.paths.delete_if {|path| path =~ /activestorage/}}
   ...
end

I advise against replacing require 'rails/all' in config/application.rb with a list of rails gems grabbed from rails source code, which is often recommended.