In a highly surprising twist, host_authorization protection does not get removed when using disable :protection. Additionally, disable :protection for some reason is not in the configure do but in the "root" meta definition of the app.
Regardless of that, however - it seems not to be possible to disable the host authorization, which makes it impossible to proxy to a Sinatra app via ngrok. Developing rapid-iteration APIs with Sinatra is a major use case, and regardless of "people will always forget to configure ..." this should not be a separate, compulsory, disconnected setting that disabling protections does not touch.
To get the protection to disengage on my setup, I had to do this
class OGApp < Sinatra::Base
disable :protection
def self.setup_host_authorization(*)
self
endI do understand why this may be enabled by default, but the way it is not subject to protection is not great.
In a highly surprising twist,
host_authorizationprotection does not get removed when usingdisable :protection. Additionally,disable :protectionfor some reason is not in theconfigure dobut in the "root" meta definition of the app.Regardless of that, however - it seems not to be possible to disable the host authorization, which makes it impossible to proxy to a Sinatra app via ngrok. Developing rapid-iteration APIs with Sinatra is a major use case, and regardless of "people will always forget to configure ..." this should not be a separate, compulsory, disconnected setting that disabling protections does not touch.
To get the protection to disengage on my setup, I had to do this
I do understand why this may be enabled by default, but the way it is not subject to
protectionis not great.