Commit 79b8e49aac6919261c2305941200996a2d0bc90b
1 parent
879d75fb
Exists in
master
and in
1 other branch
Ensure each Errbit deployment has a unique secret token
Otherwise cookies can be hijacked.
Showing
3 changed files
with
42 additions
and
9 deletions
Show diff stats
README.md
... | ... | @@ -124,21 +124,19 @@ rake errbit:bootstrap |
124 | 124 | script/rails server |
125 | 125 | ``` |
126 | 126 | |
127 | -**Deploying:** | |
127 | +Deploying: | |
128 | +---------- | |
128 | 129 | |
129 | - * Bootstrap Errbit. This will copy over config.yml and also seed the database. | |
130 | - | |
131 | -```bash | |
132 | -rake errbit:bootstrap | |
133 | -``` | |
134 | - | |
135 | - * Update the deploy.rb file with information about your server | |
130 | + * Copy `config/deploy.example.rb` to `config/deploy.rb` | |
131 | + * Update the `deploy.rb` or `config.yml` file with information about your server | |
136 | 132 | * Setup server and deploy |
137 | 133 | |
138 | 134 | ```bash |
139 | 135 | cap deploy:setup deploy |
140 | 136 | ``` |
141 | 137 | |
138 | +(Note: The capistrano deploy script will automatically generate a unique secret token.) | |
139 | + | |
142 | 140 | **Deploying to Heroku:** |
143 | 141 | |
144 | 142 | * Clone the repository |
... | ... | @@ -155,6 +153,7 @@ heroku create example-errbit --stack cedar |
155 | 153 | heroku addons:add mongolab:starter |
156 | 154 | heroku addons:add sendgrid:starter |
157 | 155 | heroku config:add HEROKU=true |
156 | +heroku config:add SECRET_TOKEN="$(bundle exec rake secret)" | |
158 | 157 | heroku config:add ERRBIT_HOST=some-hostname.example.com |
159 | 158 | heroku config:add ERRBIT_EMAIL_FROM=example@example.com |
160 | 159 | git push heroku master | ... | ... |
config/deploy.example.rb
... | ... | @@ -56,6 +56,12 @@ namespace :errbit do |
56 | 56 | run "mkdir -p #{shared_configs}" |
57 | 57 | run "if [ ! -f #{shared_configs}/config.yml ]; then cp #{latest_release}/config/config.example.yml #{shared_configs}/config.yml; fi" |
58 | 58 | run "if [ ! -f #{shared_configs}/mongoid.yml ]; then cp #{latest_release}/config/mongoid.example.yml #{shared_configs}/mongoid.yml; fi" |
59 | + | |
60 | + # Generate unique secret token | |
61 | + run %Q{if [ ! -f #{shared_configs}/secret_token.rb ]; then | |
62 | + cd #{current_release}; | |
63 | + echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > #{shared_configs}/secret_token.rb; | |
64 | + fi}.compact | |
59 | 65 | end |
60 | 66 | |
61 | 67 | task :symlink_configs do |
... | ... | @@ -64,6 +70,7 @@ namespace :errbit do |
64 | 70 | release_configs = File.join(release_path,'config') |
65 | 71 | run("ln -nfs #{shared_configs}/config.yml #{release_configs}/config.yml") |
66 | 72 | run("ln -nfs #{shared_configs}/mongoid.yml #{release_configs}/mongoid.yml") |
73 | + run("ln -nfs #{shared_configs}/secret_token.rb #{release_configs}/initializers/secret_token.rb") | |
67 | 74 | end |
68 | 75 | end |
69 | 76 | ... | ... |
config/initializers/secret_token.rb
... | ... | @@ -4,5 +4,32 @@ |
4 | 4 | # If you change this key, all old signed cookies will become invalid! |
5 | 5 | # Make sure the secret is at least 30 characters and all random, |
6 | 6 | # no regular words or you'll be exposed to dictionary attacks. |
7 | -Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] || '6b74778101638fa9c156b3928c9492fb2481ab842538bea838d21f9c9993f649f5806449584266d413d0b2f1104162b3066a86512ed71ededd627cd41f939614' | |
8 | 7 | |
8 | +# Everyone can share the same token for development/test | |
9 | +if %w(development test).include? Rails.env | |
10 | + Errbit::Application.config.secret_token = 'f258ed69266dc8ad0ca79363c3d2f945c388a9c5920fc9a1ae99a98fbb619f135001c6434849b625884a9405a60cd3d50fc3e3b07ecd38cbed7406a4fccdb59c' | |
11 | +else | |
12 | + | |
13 | + if ![nil, ''].include?(ENV['SECRET_TOKEN']) | |
14 | + Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] | |
15 | + | |
16 | + else | |
17 | + raise <<-ERROR | |
18 | + | |
19 | + You must generate a unique secret token for your Errbit instance. | |
20 | + | |
21 | + If you are deploying via capistrano, please ensure that your `config/deploy.rb` contains | |
22 | + the new `errbit:setup_configs` and `errbit:symlink_configs` tasks from `config/deploy.example.rb`. | |
23 | + Next time you deploy, your secret token will be automatically generated. | |
24 | + | |
25 | + If you are deploying to Heroku, please run the following command to set your secret token: | |
26 | + heroku config:add SECRET_TOKEN="$(bundle exec rake secret)" | |
27 | + | |
28 | + If you are deploying in some other way, please run the following command to generate a new secret token, | |
29 | + and commit the new `config/initializers/secret_token.rb`: | |
30 | + | |
31 | + echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > config/initializers/secret_token.rb | |
32 | + | |
33 | + ERROR | |
34 | + end | |
35 | +end | ... | ... |