Recently upgraded a RoR app from Ruby2.6/Rails6.1 to Ruby3.1.4/Rails7.0.8, hosted onpremise (let's say https://www.company.com/ourapp).
Right after the release, almost all of the pages were inaccessible to users on external networks (not on the company.com internal domain). However, us devs using PCs either onpremise or on the company VPN had no issues accessing those pages. Immediately makes me wonder if this is some default Rails 7 config for domain/security issues that I missed during the upgrade.
We did change config.load_defaults directly from 6.1 to 7.0. During verification, everything worked (but in hindsight, all of us testing were all using onpremise, internal network machines which couldnt ever simulate the external user situation).
The logging for this legacy app we got handed is pretty shite, so observability is suboptimal and that's why it's been a pain to debug. The only errors we could get out of the logs were related to 422s from InvalidAuthenticationToken errors and NoMethodError (undefined method 'new_entry' for Dalli Cache). But if it truly were a cache serialize/format issue or CSRF token issue, then internal-network users would also have gotten the same error! So logically, it cannot be that, right?
I am totally at a loss here. Hoping some Rails gurus out there can offer some much-needed insight!
FWIW, this is the initializers/cors.rb file in case this is somehow related?
Rails.application.config.middleware.insert_before(0, Rack::Cors, logger: (-> { Rails.logger })) do
allowed_methods = %i[get post put options]
allow do
origins %r{\Ahttps://[^.]+\.company\.[A-Za-z/]+\z}
resource '*', headers: :any, methods: allowed_methods
end
allow do
origins %r{\A(http|https)://[^.]+\.[^.]+\.company\.[A-Za-z:0-9/]+\z}
resource '*', headers: :any, methods: allowed_methods
end
allow do
origins '*'
resource '*', headers: :any, methods: %i[get options]
end
end
Some gem versions we use as mentioned here:
gem 'dalli', '2.7.11'
gem 'rack-cors', '1.1.1'