Commit 79b8e49aac6919261c2305941200996a2d0bc90b
1 parent
879d75fb
Exists in
master
and in
1 other branch
Ensure each Errbit deployment has a unique secret token
Otherwise cookies can be hijacked.
Showing
3 changed files
with
42 additions
and
9 deletions
Show diff stats
README.md
| ... | ... | @@ -124,21 +124,19 @@ rake errbit:bootstrap |
| 124 | 124 | script/rails server |
| 125 | 125 | ``` |
| 126 | 126 | |
| 127 | -**Deploying:** | |
| 127 | +Deploying: | |
| 128 | +---------- | |
| 128 | 129 | |
| 129 | - * Bootstrap Errbit. This will copy over config.yml and also seed the database. | |
| 130 | - | |
| 131 | -```bash | |
| 132 | -rake errbit:bootstrap | |
| 133 | -``` | |
| 134 | - | |
| 135 | - * Update the deploy.rb file with information about your server | |
| 130 | + * Copy `config/deploy.example.rb` to `config/deploy.rb` | |
| 131 | + * Update the `deploy.rb` or `config.yml` file with information about your server | |
| 136 | 132 | * Setup server and deploy |
| 137 | 133 | |
| 138 | 134 | ```bash |
| 139 | 135 | cap deploy:setup deploy |
| 140 | 136 | ``` |
| 141 | 137 | |
| 138 | +(Note: The capistrano deploy script will automatically generate a unique secret token.) | |
| 139 | + | |
| 142 | 140 | **Deploying to Heroku:** |
| 143 | 141 | |
| 144 | 142 | * Clone the repository |
| ... | ... | @@ -155,6 +153,7 @@ heroku create example-errbit --stack cedar |
| 155 | 153 | heroku addons:add mongolab:starter |
| 156 | 154 | heroku addons:add sendgrid:starter |
| 157 | 155 | heroku config:add HEROKU=true |
| 156 | +heroku config:add SECRET_TOKEN="$(bundle exec rake secret)" | |
| 158 | 157 | heroku config:add ERRBIT_HOST=some-hostname.example.com |
| 159 | 158 | heroku config:add ERRBIT_EMAIL_FROM=example@example.com |
| 160 | 159 | git push heroku master | ... | ... |
config/deploy.example.rb
| ... | ... | @@ -56,6 +56,12 @@ namespace :errbit do |
| 56 | 56 | run "mkdir -p #{shared_configs}" |
| 57 | 57 | run "if [ ! -f #{shared_configs}/config.yml ]; then cp #{latest_release}/config/config.example.yml #{shared_configs}/config.yml; fi" |
| 58 | 58 | run "if [ ! -f #{shared_configs}/mongoid.yml ]; then cp #{latest_release}/config/mongoid.example.yml #{shared_configs}/mongoid.yml; fi" |
| 59 | + | |
| 60 | + # Generate unique secret token | |
| 61 | + run %Q{if [ ! -f #{shared_configs}/secret_token.rb ]; then | |
| 62 | + cd #{current_release}; | |
| 63 | + echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > #{shared_configs}/secret_token.rb; | |
| 64 | + fi}.compact | |
| 59 | 65 | end |
| 60 | 66 | |
| 61 | 67 | task :symlink_configs do |
| ... | ... | @@ -64,6 +70,7 @@ namespace :errbit do |
| 64 | 70 | release_configs = File.join(release_path,'config') |
| 65 | 71 | run("ln -nfs #{shared_configs}/config.yml #{release_configs}/config.yml") |
| 66 | 72 | run("ln -nfs #{shared_configs}/mongoid.yml #{release_configs}/mongoid.yml") |
| 73 | + run("ln -nfs #{shared_configs}/secret_token.rb #{release_configs}/initializers/secret_token.rb") | |
| 67 | 74 | end |
| 68 | 75 | end |
| 69 | 76 | ... | ... |
config/initializers/secret_token.rb
| ... | ... | @@ -4,5 +4,32 @@ |
| 4 | 4 | # If you change this key, all old signed cookies will become invalid! |
| 5 | 5 | # Make sure the secret is at least 30 characters and all random, |
| 6 | 6 | # no regular words or you'll be exposed to dictionary attacks. |
| 7 | -Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] || '6b74778101638fa9c156b3928c9492fb2481ab842538bea838d21f9c9993f649f5806449584266d413d0b2f1104162b3066a86512ed71ededd627cd41f939614' | |
| 8 | 7 | |
| 8 | +# Everyone can share the same token for development/test | |
| 9 | +if %w(development test).include? Rails.env | |
| 10 | + Errbit::Application.config.secret_token = 'f258ed69266dc8ad0ca79363c3d2f945c388a9c5920fc9a1ae99a98fbb619f135001c6434849b625884a9405a60cd3d50fc3e3b07ecd38cbed7406a4fccdb59c' | |
| 11 | +else | |
| 12 | + | |
| 13 | + if ![nil, ''].include?(ENV['SECRET_TOKEN']) | |
| 14 | + Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] | |
| 15 | + | |
| 16 | + else | |
| 17 | + raise <<-ERROR | |
| 18 | + | |
| 19 | + You must generate a unique secret token for your Errbit instance. | |
| 20 | + | |
| 21 | + If you are deploying via capistrano, please ensure that your `config/deploy.rb` contains | |
| 22 | + the new `errbit:setup_configs` and `errbit:symlink_configs` tasks from `config/deploy.example.rb`. | |
| 23 | + Next time you deploy, your secret token will be automatically generated. | |
| 24 | + | |
| 25 | + If you are deploying to Heroku, please run the following command to set your secret token: | |
| 26 | + heroku config:add SECRET_TOKEN="$(bundle exec rake secret)" | |
| 27 | + | |
| 28 | + If you are deploying in some other way, please run the following command to generate a new secret token, | |
| 29 | + and commit the new `config/initializers/secret_token.rb`: | |
| 30 | + | |
| 31 | + echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > config/initializers/secret_token.rb | |
| 32 | + | |
| 33 | + ERROR | |
| 34 | + end | |
| 35 | +end | ... | ... |