From 885e67a39b816748380f0bf7f8cf6dafd3384d4d Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Thu, 29 Sep 2022 13:06:28 +1000 Subject: [PATCH 1/3] Ignore Rails secrets These files are only used in production but sometimes we want to test production execution on our dev machines, too. --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index cba45b438d..b50b2725c4 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,6 @@ coverage /yarn-error.log yarn-debug.log* .yarn-integrity + +/config/credentials.yml.enc +/config/master.key From 57a70455a829a48586d6ca089c2183a980727357 Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Thu, 29 Sep 2022 13:37:23 +1000 Subject: [PATCH 2/3] Simplify setting of secret token We define it in the dotenv files already which has the advantage of being overridable. I adjusted the dotenv files to have the same value as was set before, 30 times `x`. --- .env.development | 2 +- .env.test | 2 +- config/initializers/secret_token.rb | 10 ++-------- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/.env.development b/.env.development index 928f5014b2..6764c81977 100644 --- a/.env.development +++ b/.env.development @@ -1,7 +1,7 @@ # ENV vars for the development environment # Override locally with `.env.development.local` -SECRET_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +SECRET_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" OFN_REDIS_URL="redis://localhost:6379/1" OFN_REDIS_JOBS_URL="redis://localhost:6379/2" diff --git a/.env.test b/.env.test index 2729e942fd..9a20a69526 100644 --- a/.env.test +++ b/.env.test @@ -1,7 +1,7 @@ # ENV vars for the test environment # Override locally with `.env.test.local` -SECRET_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +SECRET_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" STRIPE_SECRET_TEST_API_KEY="bogus_key" STRIPE_CUSTOMER="bogus_customer" diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index 565c65de2f..e66b94f4b8 100644 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -5,14 +5,8 @@ # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. -secret_key = if Rails.env.development? or Rails.env.test? - ('x' * 30) # Meets basic minimum of 30 chars. -else - ENV["SECRET_TOKEN"] -end - # Rails 4+ key for signing and encrypting cookies. -Openfoodnetwork::Application.config.secret_key_base = secret_key +Openfoodnetwork::Application.config.secret_key_base = ENV["SECRET_TOKEN"] # Legacy secret_token variable. This is still used directly for encryption. -Openfoodnetwork::Application.config.secret_token = secret_key +Openfoodnetwork::Application.config.secret_token = ENV["SECRET_TOKEN"] From ef80c3358d4aef0e9d9f744c63ce3619cc98b821 Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Thu, 29 Sep 2022 13:40:44 +1000 Subject: [PATCH 3/3] Explain how to easily configure other environments locally --- .env.development | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.env.development b/.env.development index 6764c81977..8f352f7e5f 100644 --- a/.env.development +++ b/.env.development @@ -1,5 +1,9 @@ # ENV vars for the development environment # Override locally with `.env.development.local` +# +# You may also want to use this when testing other environments locally: +# +# cp .env.development .env.local SECRET_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"