This add-on is operated by Jan Wrobel
Restrict access to your app without passwords
Last updated 09 October 2019
Table of Contents
The add-on provides a web interface to specify emails of users that are allowed to access your web application. Each visitor is presented with a login prompt and asked to enter his or her email address. A link with an access token is sent to the entered email. The link is valid for 30 minutes and for a single successful login. If the visitor owns an email address that is allowed to access the application, opening the link grants access and establishes a browser session that is valid for 30 days or until the access is revoked.
Integration with wwwhisper service is provided via Ruby Rack and Node.js Connect middleware. This minimizes integration cost. There is no need to modify your application code and explicitly call the wwwhisper API.
Provisioning the add-on
wwwhisper can be attached to a Heroku application via the CLI.
$ heroku addons:create wwwhisper:solo[or team or plus] [--admin=your_email]
--admin is an optional parameter that specifies who should be
allowed to initially access the application. If
--admin is not
given, or if the add-on is provisioned via Heroku web UI, your Heroku
application owner email is used. Later you can use the wwwhisper admin
site to grant access to others.
Once the add-on has been added a
WWWHISPER_URL setting will be
available in the app configuration and will contain the URL to
communicate with the wwwhisper service. This can be confirmed using the
heroku config:get command.
$ heroku config:get WWWHISPER_URL https://user:password@domain
Using with Ruby on Rails or other Rack based applications
All Ruby applications need to add the following entry into their
gem 'rack-wwwhisper', '~> 1.0'
And then update application dependencies with bundler.
$ bundle install
Enabling wwwhisper middleware for a Rails application
For a Rails application put the following line at the end of
config.middleware.insert 0, Rack::WWWhisper
The line makes wwwhisper the first middleware in the Rack middleware chain. You can take a look at a commit that enabled wwwhisper for a Rails based Typo blog.
Enabling wwwhisper middleware for other Rack based application
For other Rack based applications add the following two lines to the
require 'rack/wwwhisper' use Rack::WWWhisper
You can take a look at a commit that enabled wwwhisper for a Sinatra application.
Rack middleware order
Order of Rack middleware matters. Authorization should be performed early, before any middleware that produces sensitive responses is invoked. Rails allows to check middleware order with a command.
RAILS_ENV=production; heroku local:run rake middleware
wwwhisper by default inserts an iframe to HTML responses. The iframe contains an email of a currently logged in user and a logout button. If Rack is configured to compress responses, compression middleware should be put before wwwhisper, otherwise the iframe won’t be inserted.
Push the configuration and test the authorization
$ git commit -m "Enable wwwhisper authorization" -a $ git push heroku master
https://yourapp-name.herokuapp.com/ you should be presented
with a login page. Sign-in with your email. Visit
https://yourapp-name.herokuapp.com/wwwhisper/admin/ to specify which
locations can be accessed by which visitors and which (if any) should
be open to everyone.
Disable wwwhisper locally
It is usually convenient to disable wwwhisper authorization for a
local development environment. If your application uses a separate
config file for development (for example
config/environments/development.rb in case of Rails) you don’t need
to do anything, otherwise you need to set
If you use Heroku Local to start a local server, execute the following command in the application directory.
$ echo WWWHISPER_DISABLE=1 >> .env
$ export WWWHISPER_DISABLE=1
Use wwwhisper locally
To use the wwwhisper service locally, use the wwwhisper admin to allow
logins from a local address. Go to the
Site settings menu and add
the local address (for example
http://localhost:8080) to the list of
allowed addresses. Next, copy the
WWWHISPER_URL variable from the
Heroku config to your local config.
If you use Heroku Local, execute.
$ echo WWWHISPER_URL=`heroku config:get WWWHISPER_URL` >> .env
Credentials and other sensitive configuration values should not be committed to source-control. In Git exclude the .env file with:
echo .env >> .gitignore.
$ export WWWHISPER_URL=`heroku config:get WWWHISPER_URL`
Using with Node.js
wwwhisper works with Node.js applications that use Express or Connect
frameworks. To configure the add-on, add the following line into the
dependencies section of the
Next, add the following lines to the application main source file.
var wwwhisper = require('connect-wwwhisper'); // app holds a reference to express or connect framework, it // may be named differently in your source file. app.use(wwwhisper()); // Alternatively, if you don't want wwwhisper to insert // a logout iframe into HTML responses use. app.use(wwwhisper(false));
Make sure wwwhisper middleware is put before any middleware that produces sensitive responses. You can take a look at a commit that enabled wwwhisper for an Express application.
Push the configuration and test the authorization
Removing the add-on
wwwhisper can be removed via the CLI.
This will destroy all associated data and cannot be undone!
$ heroku addons:destroy wwwhisper
wwwhisper support and runtime issues should be submitted via one of the Heroku Support channels. Please CC firstname.lastname@example.org.
Any non-support related issues or product feedback is welcome at email@example.com. Issues and feature requests can be also reported via github.
- It is recommended to access wwwhisper protected applications over HTTPS.
- wwwhisper authorizes access to content served by your Heroku application. If you put sensitive content on external servers that do not require authorization (for example public Amazon S3 bucket), wwwhisper won’t be able to restrict access to such content.
- wwwhisper is open source, see the project repository for a detailed explanation of how it works.