A lightweight library for encoding/decoding Rails request parameters.
signed_params are protected against tampering and safe to share with the internet. Great for generating sharable links and/or mitigating web scrapers.
Battle-tested at Hansa. Developed at Primevise.
Simply add the gem to your Gemfile by running the following command
$ bundle add signed_paramsAfter you have the gem installed, you include the functionality in app/controllers/application_controller.rb:
class ApplicationController < ActionController::Base
include SignedParams::Concern
endTip
You can also include the concern only in the controllers you seem fit. Adding the concern to the ApplicationController is a "forget about it" approach.
You can encode your parameters with a sign_param helper method. Specify which params you want to decode by specifying them in the has_signed_params class method.
class RecordsController < ApplicationController
has_signed_params :record_ids, only: :index
def index
# The record_ids param is automatically decoded
@records = Record.find(params[:record_ids])
end
def new_public_link
record_ids = Record.last(8).pluck(:id)
encoded_record_ids = sign_params(record_ids)
# Your controller action logic that generates shareable public links
end
endCaution
Avoid exposing sensitive data while using signed_params. Your application should still implement proper authentication and authorization.
signed_params uses Rails' ActiveSupport::MessageVerifier under the hood to encode the params. You can adjust the secret used for encoding by adding an initializer.
SignedParams.configure do |config|
config.verifier_secret = ENV["SIGNED_PARAMS_ENCODING_SECRET"] || "my-strong-and-private-signing-secret"
endThe gem is available as open source under the terms of the MIT License.