Missing `secret_token` and `secret_key_base` - Rails 4.2.0 with RVM

Question

Recently I pulled one of my repos from Git. After launching the server, I am receiving the the following: Missing secret_token and secret_key_base. This may be happening because I've included the secrets.yml in my .gitignore.

My current setup

• Ubuntu 14.04
• ruby 2.2.0p0
• rails 4.2.0
• rvm 1.26.11
• local server (not remote)
• development environment

Many online resources state that I must gen a new key using rake secret and add it to the secrets.yml. Placing the key inside the secrets.yml and restarting the rails server does not work.

---

Edited: Added contents of secrets.yml below. -04/30/15 9:04 AM EST

development:
    secret_key_base: LONG KEY HERE

test:
  secret_key_base: LONG KEY HERE

# Do not keep production secrets in the repository,
# instead read values from the environment.
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

Please know this is set as a development environment on a local server in my place of residence (not Heroku).

---

Other resources state I need to add an entry inside my secret_token.rb but this file does not exist in my project.

The only way my application will run is if I were to create a secret_token.rb file and add either one of the following inside of it:

MyApp::Application.config.secret_token = if Rails.env.development? or Rails.env.test?
  ('x' * 30) # meets minimum requirement of 30 chars long
else
  ENV['SECRET_TOKEN-']
end

or

MyApp::Application.config.secret_token = 'the secret key'

Why is this file required when the Rails docs states to remove it?

3.3 config/secrets.yml

The secret_token.rb is not required in order to run for new generated projects, only the ones from my Git repo.

Please advise on why my application needs secret_token.rb though the Rails docs state otherwise or my application will not run without it.

Edited: -04/30/15 9:27 AM EST

Another strange behavior is I can rename secrets.yml while the secret_token.rb remains in place and the application will still run.

I attempted to rename the secret_token.rb, added <%= ENV["SECRET_KEY_BASE"] %> to development and I'm still experiencing the Missing secret_token issue.

Edited: Added git repo below. -05/08/15 2:50 AM EST

git repo: https://github.com/captain-awesome/blog_mac

Something strange is if I were to modify any one of the 32 characters, save the secret_token.rb, reload the server...my app will run. Is the 32 character string in the secret_token.rb something I can make-up on my own? If so, what is the real purpose for rake secret?

Answer 1

Are you launching your server locally in development or in some other environment (for instance, on Heroku in production)? Because if you are running on Heroku, then you'll need to remove secrets.yml from your .gitignore so that Heroku can figure out what the secret key is. The safe way of handling this is to store your secret key as an environment variable on Heroku and have your secrets.yml point to it (see below).

If you are running locally, you should be able to delete your secret_token.rb as long as you have your secret_key_base set for every environment inside your secrets.yml file. You didn't post what yours looks like, but it should look something like this:

development:
 secret_key_base: somerandomkey
test:
 secret_key_base: somerandomkey
staging:
 secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
production:
 secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

Answer 2

As of Rails 4.1, there is a new way to store secrets.

In Rails 4.1+, you need config/secrets.yml – do not delete it! I can see in your GitHub repo, you are using Rails 4.2 and that this file is missing. This is why you see that error. (Note: if you still have a secret_token.rb file, remove it. Rails 4.1+ no longer uses it).

I recommend using dotenv rails.

Add and commit config/secrets.yml:

default: &default
  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>

development:
  <<: *default

test:
  <<: *default

staging:
  <<: *default

production:
  <<: *default

Whenever you launch rails, you need to make sure you set the SECRET_KEY_BASE system environement variable. With the above YAML file, you need to ensure this environment variable is set on whatever machine that starts your Rails app in whatever environment. The key point is, this how this variable is set may vary depending on where/what your machine is.

On your local machine (at home), create a file called .env with a secret:

echo SECRET_KEY_BASE=`rake secret` > .env
rails server

You only need to create this file once. When rails starts, dotenv will read this .env file, and set the environement variable SECRET_KEY_BASE appropriately. Do not commit this file – in fact, I recommend adding it to your .gitignore.

Later, when you deploy to a remove server (a production/deployment server), things will be different. You may need to use SSH to set the environment variable. On Heroku, you can sign in to your app's dashboard and set an environment value (or use config:set in Heroku Toolbelt).

Edit: Note I didn't invent this. This is the approach used by Suspenders.