I have a static Jekyll support page on my site served in /public/support. The main rails app is behind devise - the whole thing. If you are not authenticated you get kicked back to the login. Can I 'hide' this static site behind the Devise authentication - i.e. only allow access to the static pages when authenticated?
I ended up finding this:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
In my NGINX config I have this:
location /support {
auth_request /auth;
auth_request_set $auth_status $upstream_status;
error_page 403 https://$host;
}
In my application controller I have:
before_action :authenticate_user!, except: :auth
This by-passes Devise.
In routes:
get '/auth', to: 'errors#auth'
It just made sense to add it to my existing custom errors controller.
Then in the controller:
def auth
user_signed_in? ? render(status: 200, layout: :blank) : render(status: 403, layout: :blank)
end
The blank layout has no content - just a <%= yield %>.
If the user has an open Devise session they can access the support site otherwise they get redirected to the login page (default for Devise).