Rails security via ember

[Jedrin]

 There is a rails app that servers an ember.js application via rails-ember and another site that has the data. Once the ember app is running it gets ember-data from a data server. In a couple of cases it can also do puts to the data server via ember data model.save() calls ..

 The ember app on a put does an http options method. For some reason the options method does not have the api_key that the other methods typically have. 

 Here are changes I made to the rails data server: 

============

application.rb in config:

# here I tried to add a specific rule for put, but it did not seem to work ?

# so my rule is very general allowing any put for now

# ..

# ..

config.middleware.use Rack::Cors do

      allow do

        allowed_origins = (ENV['CORS_ORIGINS'] || '').split(',')

        origins(*allowed_origins)

        resource '*', headers: :any, methods: [:get, :options, :put]

        # !!! seperate rule not working ?

        # resource '*/comments/*', headers: :any, methods: [:get, :options, :put]

      end      

    end

##########################

# in my app controller I do not check for logged in user for an options

# method as I am not sure why it does not get an api_key

class ApplicationController < ActionController::Base

  protect_from_forgery

  before_filter :authenticate!


def authenticate!

    unless request.method.eql?('OPTIONS')

      unless current_user

        render json: { error: 'Unauthorized access' }, status: 401

      end

    end

  end

#########################

# one of my other controllers that gets a pre flight options

# method from ember, I did the following:

skip_before_filter :verify_authenticity_token, :only => [:options]

#########################

 If anyone has any comments on how this may work as a solution, how to improve it etc .. that would be appreciated .. thanks