Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to dynamically generate secret tokens in Rails 4.1 with secrets.yml?

Tags:

security

ruby-on-rails

ruby-on-rails-4

New to rails. Followed Hartl's tutorial where he uses this code to dynamically generate secret token for config/initializers/secret_token.rb

require 'securerandom'

def secure_token
  token_file = Rails.root.join('.secret')
  if File.exist?(token_file)
    # Use the existing token.
    File.read(token_file).chomp
  else
    # Generate a new token and store it in token_file.
    token = SecureRandom.hex(64)
    File.write(token_file, token)
    token
  end
end

SampleApp::Application.config.secret_key_base = secure_token

I'm trying to follow the new Rails 4.1 way by using secrets.yml, and delete the secret_token.rb:

development:
  secret_key_base: 79c1389c2fadc5a5a1918a5104ab34eb700c

test:
  secret_key_base: fdb4edcde14173d62963705ca4d7876b5307790924

production:
  secret_key_base: 85172605030a8225c083d886d066da2cb4aac1f0

But I think you cannot run ruby script like the one in secret_token.rb in a yml file. How would you have rails dynamically generate the secret tokens in secret. How should this be done? What is best practice?

like image 947
Andreas Avatar asked Feb 10 '14 09:02

Andreas

2 Answers

Given a function secret_token whose only job is to generate a new token string each time one's application accesses the secrets.yml file, cookies and most likely other session-like behavior will not work correctly as the secret token changes each call to the function.

The preferred & secure way is to use any old secret key in the secrets.yml file for development and test environments (you can generate a secret string by issuing rake secret on the command line), then use an environment variable that your production server knows, so the secrets.yml file looks like:

production:
 secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

For example, on Heroku, use heroku config:set SECRET_KEY_BASE="insert key here" to set the environment variable and there you have it. Don't be afraid to check the secrets.yml file into scm...as long as you haven't saved your production key to the file (and are instead using the environment variable method I just described), checking the file into scm poses no threat.

like image 128
Steve Nims Avatar answered Oct 14 '22 09:10

Steve Nims

You can actually run ERB code in YML files. Something like:

development:
  secret_key_base: <%= secret_token %>

should work (if whatever process reads the YML file can access the secure_token method).

like image 1
thorsten müller Avatar answered Oct 14 '22 08:10

thorsten müller
Sign in to Comment

Related questions

Paperclip set default images for all different styles
How to remove column without downtime with ActiveRecord 3.1?
What's the standard/correct way to open a paperclip attachment from within Ruby?
PG::Error server closed the connection unexpectedly
Omniauth authorization call with Ajax
Is it possible to send arguments to `rake cucumber` without using environment variables?
Rails class loading skips namespaced class when another class of same name in root namespace is loaded
mongodb with rails, find by id in array
rails get all associated classes of a polymorphic class
Rails Routes With Query Parameters
Parallel Test Execution hangs indefinitely for rspec
RSpec controller macro not working
Framework and database adapter with Hexagonal Architecture and DCI pattern
STI in Rails: How do I change from a superclass to a subclass without accessing the "type" attribute directly?
Rspec/Rails: how to verify that no method of a class is called
OpenURI::HTTPError 403 Forbidden - open paperclip url for asset stored on S3 (fog gem)
Routes, path helpers and STI in Rails 4.0
Google calendar v3 returns 403 Insufficient Permission
How to install Prawn for Rails 4
Spell Checking With Redactor On Heroku

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!