Support token header for health check token, and general cleanup of the health_check feature.

1 files changed, 12 insertions, 3 deletions

diff --git a/app/controllers/health_check_controller.rb b/app/controllers/health_check_controller.rb
index b974489836f..037da7d2bce 100644
--- a/app/controllers/health_check_controller.rb
+++ b/app/controllers/health_check_controller.rb
@@ -1,13 +1,22 @@
 class HealthCheckController < HealthCheck::HealthCheckController
   before_action :validate_health_check_access!
 
-  protected
+  private
 
   def validate_health_check_access!
-    return render_404 unless params[:token].presence && params[:token] == current_application_settings.health_check_access_token
+    render_404 unless token_valid?
+  end
+
+  def token_valid?
+    token = params[:token].presence || request.headers['TOKEN']
+    token.present? &&
+      ActiveSupport::SecurityUtils.variable_size_secure_compare(
+        token,
+        current_application_settings.health_check_access_token
+      )
   end
 
   def render_404
-    render file: Rails.root.join("public", "404"), layout: false, status: "404"
+    render file: Rails.root.join('public', '404'), layout: false, status: '404'
   end
 end