From 5b016673d7e44926097d6e41b9feaef73a4e2de2 Mon Sep 17 00:00:00 2001 From: Emi Matchu Date: Thu, 22 Feb 2024 12:36:02 -0800 Subject: [PATCH] Migrate secret key to Rails credentials file (and fix deprecation warn) There's a bit happening behind the scenes of this change. Previously, we kept a `SECRET_TOKEN` environment variable in `production.env`, and used a `secret_token.rb` initializer to wire it up as the `secret_key_base`. In this change, we move to Rails's new-ish (two years old :p) encrypted credentials system. Now, we set a `RAILS_MASTER_KEY` environment variable in the deployed `production.env` instead (and in our local `.env.production` in the project root for managing it), and we can run `rails credentials:edit` to open the encrypted file in a text editor. Inside, the content is just: ```yml secret_key_base: "" ``` This indirection doesn't exactly do much for us functionally; it's just the more standard way of achieving what our `secret_token.rb` situation was achieving. We could also migrate other secrets into there, and I just might! That would simplify duplication between `/deploy/files/production.env` and `/.env.production`, at any rate! The main notable one is `MATCHU_EMAIL_PASSWORD` for sending auth emails from `matchu@openneo.net` (and there's also a Stripe token that we don't actually use in the app these days, those codepaths are old bones). Oh and there's also the `IMPRESS_2020_SUPPORT_SECRET`! Anyway, the motivation for this was to remove the warning when starting the app that Devise is trying to use the deprecated `Rails.application.secrets` method. I was expecting to have to do [the workaround shared here](https://github.com/heartcombo/devise/issues/5644#issuecomment-1804626431), but it turns out whatever default behavior Devise does under the hood is happy enough with our new decision to use the credentials file, and the deprecation warning is gone! Ok neat! --- config/credentials.yml.enc | 1 + config/initializers/secret_token.rb | 19 ------------------- 2 files changed, 1 insertion(+), 19 deletions(-) create mode 100644 config/credentials.yml.enc delete mode 100644 config/initializers/secret_token.rb diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc new file mode 100644 index 00000000..b2c225fd --- /dev/null +++ b/config/credentials.yml.enc @@ -0,0 +1 @@ +ciP4cwjLU07G6CxuP7wpOdvsq1x5oy6mPKLjaaJQXGA/TLpqqs/hxHrq0AnM6cmQPtRr0IWN62k64NSwfrWLMYb1Bf7NQy7ljgGXS7bRHWHqFLImRoB+Biu+EKPvTPPJ1oRfuY93OeEAsGErsi3AzbXFFN8DsGfIBuJ94JtL8tIiN1DppWRNYPGVKgtY3vFEAqnb/n1aJd7Zlpx7K9Ujt1x2EI5NfZnqWusydOdxLH2+PecdeSCg0QtB0OI=--oKqJZYwMxwVJqyHf--/pM5RzWanmuKbMCZ6oTd7Q== \ No newline at end of file diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb deleted file mode 100644 index aea94a91..00000000 --- a/config/initializers/secret_token.rb +++ /dev/null @@ -1,19 +0,0 @@ -# Be sure to restart your server when you modify this file. - -# Your secret key is used for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! - -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. -# You can use `rake secret` to generate a secure secret key. - -# Make sure your secret_key_base is kept private -# if you're sharing your code publicly. -if Rails.env.development? || Rails.env.test? - # In development, we use a hardcoded secret key, because it doesn't actually - # need to be secret! - OpenneoImpressItems::Application.config.secret_key_base = "7584841652f89044a8b5a428efa6dfac2461449eb24741a33668cd642130d79f93b0347766ebf4a4d7d5033a263c36431594ad56b5735a7325c8cdda991219c2" -else - # In general, we use the SECRET_TOKEN provided as an environment variable! - OpenneoImpressItems::Application.config.secret_key_base = ENV.fetch('SECRET_TOKEN') -end