Reputation: 495
How to hidden query-string in Rails
I wanna pass to a resource in a request for example
# Go to payment link
<%= link_to 'Payment', checkout_path(pricing: amount.id) %>
When I go to payment link the url path is the next:
http://localhost:3000/checkout?pricing=amount_2aHUHuhdn23jnSJd
I'd like to hidden the query-string "pricing=amount_2aHUHuhdn23jnSJd" without have to used any gem
UPDATE QUESTION 31/12
This request is of type Get since I need to show the different prices to the user, that's why the parameter pass (pricing: amount.id)
<%= link_to 'Payment', checkout_path(pricing: amount.id) %>
get 'checkout', to: 'subscriptions#checkout'
I'd appreciate your time and your grain of sand
Upvotes: 1
Views: 377
Answers (3)
Reputation: 106932
When the value is sensitive then hiding the value doesn't really fix the problem. Instead, I would suggest encrypting the value in the URL or to use another non-sensitive value instead.
- Value encryption
You could use Rails MessageEncryptor to encrypt the value before passing it to the URL and decrypt it later in the controller again.
# in app/models/url_encrypter.rb
module URLEncrypter
ENCRYPTER = ActiveRecord::MessageEncryptor.new(
Rails.application.secrets.secret_key_base.first(32)
)
def encrypt(value)
ENCRYPTOR.encrypt_and_sign(value, purpose: :url)
end
def decrypt(value)
ENCRYPTOR.decrypt_and_verify(value, purpose: :url)
end
end
# when building the URL
<%= link_to 'Payment', checkout_path(pricing: URLEncrypter.encyrpt(amount.id)) %>
# when reading the param in the controller
pricing = URLEncrypter.decyrpt(params[:pricing])
amount = Amount.find(pricing)
- Have a second non-sensitive, unique identifier
Here you add a second unique identifier to your database table, for example, a column named uuid which you could populate automatically in a before_save callback with self.uuid = SecureRandom.uuid
You can then use its value instead of the id like this:
# when building the URL
<%= link_to 'Payment', checkout_path(pricing: amount.uuid) %>
# when reading the param in the controller
amount = Amount.find_by(uuid: params[:pricing])
Upvotes: 2
Reputation: 356
You could store it in the Session.
Store it when the user enters the page, clear it when user clicks a link.
# SomeController#before_payment
session[:pricing] = amount.id
#then..
# CheckoutController#index
pricing = session[:pricing]
session[:pricing] = nil
Be careful because it will only live within the session. It will be stored as a cookie, and have a 4kb limit for data.
Upvotes: 2
Reputation: 160
I'm not quite sure what you mean without seeing your routes.rb file. As mentioned by @Deepak Kumar to hide query from your url you should use POST request. Have a look at this guide. You can add below
post 'payment', to: 'checkout#payment'
In your routes.rb. This will call Payment action from your CheckoutsController
Upvotes: 0
Related Questions
- Rails routes redirect for query string
- How can I hide params in view's url?
- How to mask URL rails
- How do I get only the query string in a Rails route?
- Rails: The easiest way to differ path parameter from query string parameter?
- Creating a route that hides the controller name
- Rails routes on query string
- Rails: Hide Paramater in URL
- routing via query string in rails 3?
- Rails Routing with Query String