Does Rails 4.2 use secret_token?

Question

Are both secret_key_base and secret_token needed for production in Rails 4.2? Setting neither causes the following exception message:

Missing secret_token and secret_key_base for 'production' environment, set these values in config/secrets.yml

The 4.2 upgrade guide (http://railsapps.github.io/updating-rails.html) says this:

When you create a new Rails application using the rails new command, a unique secret key is generated and written to the config/initializers/secret_token.rb file.

But no such file was created when I generated my app, and there is no reference to secret_token in config/secrets.yml

I'm assuming that the error message is wrong, and that only secret_key_base is needed. When I run my app in production on my dev machine, it starts with just secret_key_base, but in Engineyard, setting secret_key_base (via an environment variable) isn't working. I still get the error.

Answer 1

The problem you're seeing on Engine Yard is because the secret_key_base environment variable doesn't (yet) exist by default. That's something we're working on. You can put that in place on your own using custom chef; I suggest talking to our support team for more info on that.

As for the actual error you're getting, I just tested a brand new Rails 4.2 app ("rails new foo") to see if it's generating secret_token.rb, which it's not. I think what you need here is to create config/secrets.yml, and that file should look like this:

development:
  secret_key_base: somekey

test:
  secret_key_base: someotherkey

# Do not keep production secrets in the repository,
# instead read values from the environment.
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

Now, when you see ENV["SECRET_KEY_BASE"], that's where Engine Yard has a bit of a twist - we don't provide that out of the box yet. As long as your repo is private, you can hard-code something in there on your own. Otherwise, using custom chef could get you squared away by creating a secret key base and putting it in the wrapper script responsible for launching your app worker processes (so config/env.custom on our platform, for example).

Hope this helps.

Answer 2

4.2 does use the secret key and the link you posted has the solution you are looking for.

In an environment that doesn't end up with the secret key active, you need to generate it using rake secret then place the output from the console into your config/initializers/secret_token.rb file (you can make one if there isn't one).

You have the option to avoid using secrets.yml. Many people prefer to use another gem/procedure (e.g. figaro) for handling secret info. To simplify your life you could just put this information into the secret_token.rb file and move on - or you can learn the various other idiomatic ways of handling the situation.

Answer 3

At least Rails 4.2.2 gave me the same error, but setting the environment variable SECRET_KEY_BASE in the rails user's .bash_profile file solved the problem for me, so the bit about secret_token seems to be bogus -- a holdover from earlier versions, probably.

Generate the secret by commanding rake secret, then use the generated string in file .bash_profile like this:

export SECRET_KEY_BASE='the_output_of_the_rake_secret_command'