Staging Env: Password protect everything except for webhook

Question 1

I don't think you can do this with `Rack::Auth::Basic'. However, looking at the source, it seems that you can create your own simple authentication mechanism that takes an extra option.

It's the same as Rack::Auth::Basic, except for the call method. Create a file called authenticate_excluding.rb in app/middleware with the following:

class AuthenticateExcluding < ::Rack::Auth::Basic

  def initialize(app, options={}, &authenticator)
    @excluded_paths = options[:exclude]
    super(app, options[:realm], &authenticator)
  end

  def call(env)
    if @excluded_paths && @excluded_paths.include?(env['PATH_INFO'])
      return @app.call(env)
    end
    super
  end
end

You can now use it with:

config.middleware.insert_after(::Rack::Lock, "AuthenticateExcluding", excluding: ["/webhooks/service", "/other_hook"]) do |u, p|
  [u, p] == [ENV["STAGING_USERNAME"], ENV["STAGING_PASSWORD"]]
end

That should work. If you also want to enable the realm (the previous "Staging" argument), you can also add realm: "Staging" to the options hash.

Question 2

I found that I could easily solve the issue by just including the staging username and password in the webhook URL.

If this URL requires HTTP Basic Auth, enter http://USERNAME:PASSWORD@YOUR_URL into the url field." - Codeship.io

Question 3

This is easy to do with rack/private as you can specify an exception like so:

use Rack::Private, :code => ENV["STAGING_PASSWORD"] do
  except '/webhooks/service'
end

You can also specify HTTP methods as well if required.

The only problem is that you don't have a username AND password, just a secret code. I don't know if that meets your needs?