Commit 79b8e49aac6919261c2305941200996a2d0bc90b

Authored by Nathan Broadbent
1 parent 879d75fb
Exists in master and in 1 other branch production

Ensure each Errbit deployment has a unique secret token

Otherwise cookies can be hijacked.
README.md
... ... @@ -124,21 +124,19 @@ rake errbit:bootstrap
124 124 script/rails server
125 125 ```
126 126  
127   -**Deploying:**
  127 +Deploying:
  128 +----------
128 129  
129   - * Bootstrap Errbit. This will copy over config.yml and also seed the database.
130   -
131   -```bash
132   -rake errbit:bootstrap
133   -```
134   -
135   - * Update the deploy.rb file with information about your server
  130 + * Copy `config/deploy.example.rb` to `config/deploy.rb`
  131 + * Update the `deploy.rb` or `config.yml` file with information about your server
136 132 * Setup server and deploy
137 133  
138 134 ```bash
139 135 cap deploy:setup deploy
140 136 ```
141 137  
  138 +(Note: The capistrano deploy script will automatically generate a unique secret token.)
  139 +
142 140 **Deploying to Heroku:**
143 141  
144 142 * Clone the repository
... ... @@ -155,6 +153,7 @@ heroku create example-errbit --stack cedar
155 153 heroku addons:add mongolab:starter
156 154 heroku addons:add sendgrid:starter
157 155 heroku config:add HEROKU=true
  156 +heroku config:add SECRET_TOKEN="$(bundle exec rake secret)"
158 157 heroku config:add ERRBIT_HOST=some-hostname.example.com
159 158 heroku config:add ERRBIT_EMAIL_FROM=example@example.com
160 159 git push heroku master
... ...
config/deploy.example.rb
... ... @@ -56,6 +56,12 @@ namespace :errbit do
56 56 run "mkdir -p #{shared_configs}"
57 57 run "if [ ! -f #{shared_configs}/config.yml ]; then cp #{latest_release}/config/config.example.yml #{shared_configs}/config.yml; fi"
58 58 run "if [ ! -f #{shared_configs}/mongoid.yml ]; then cp #{latest_release}/config/mongoid.example.yml #{shared_configs}/mongoid.yml; fi"
  59 +
  60 + # Generate unique secret token
  61 + run %Q{if [ ! -f #{shared_configs}/secret_token.rb ]; then
  62 + cd #{current_release};
  63 + echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > #{shared_configs}/secret_token.rb;
  64 + fi}.compact
59 65 end
60 66  
61 67 task :symlink_configs do
... ... @@ -64,6 +70,7 @@ namespace :errbit do
64 70 release_configs = File.join(release_path,'config')
65 71 run("ln -nfs #{shared_configs}/config.yml #{release_configs}/config.yml")
66 72 run("ln -nfs #{shared_configs}/mongoid.yml #{release_configs}/mongoid.yml")
  73 + run("ln -nfs #{shared_configs}/secret_token.rb #{release_configs}/initializers/secret_token.rb")
67 74 end
68 75 end
69 76  
... ...
config/initializers/secret_token.rb
... ... @@ -4,5 +4,32 @@
4 4 # If you change this key, all old signed cookies will become invalid!
5 5 # Make sure the secret is at least 30 characters and all random,
6 6 # no regular words or you'll be exposed to dictionary attacks.
7   -Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] || '6b74778101638fa9c156b3928c9492fb2481ab842538bea838d21f9c9993f649f5806449584266d413d0b2f1104162b3066a86512ed71ededd627cd41f939614'
8 7  
  8 +# Everyone can share the same token for development/test
  9 +if %w(development test).include? Rails.env
  10 + Errbit::Application.config.secret_token = 'f258ed69266dc8ad0ca79363c3d2f945c388a9c5920fc9a1ae99a98fbb619f135001c6434849b625884a9405a60cd3d50fc3e3b07ecd38cbed7406a4fccdb59c'
  11 +else
  12 +
  13 + if ![nil, ''].include?(ENV['SECRET_TOKEN'])
  14 + Errbit::Application.config.secret_token = ENV['SECRET_TOKEN']
  15 +
  16 + else
  17 + raise <<-ERROR
  18 +
  19 + You must generate a unique secret token for your Errbit instance.
  20 +
  21 + If you are deploying via capistrano, please ensure that your `config/deploy.rb` contains
  22 + the new `errbit:setup_configs` and `errbit:symlink_configs` tasks from `config/deploy.example.rb`.
  23 + Next time you deploy, your secret token will be automatically generated.
  24 +
  25 + If you are deploying to Heroku, please run the following command to set your secret token:
  26 + heroku config:add SECRET_TOKEN="$(bundle exec rake secret)"
  27 +
  28 + If you are deploying in some other way, please run the following command to generate a new secret token,
  29 + and commit the new `config/initializers/secret_token.rb`:
  30 +
  31 + echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > config/initializers/secret_token.rb
  32 +
  33 + ERROR
  34 + end
  35 +end
... ...