From 79b8e49aac6919261c2305941200996a2d0bc90b Mon Sep 17 00:00:00 2001
From: Nathan Broadbent <nathan.f77@gmail.com>
Date: Fri, 25 Jan 2013 00:06:29 -0800
Subject: [PATCH] Ensure each Errbit deployment has a unique secret token

---
 README.md                           | 15 +++++++--------
 config/deploy.example.rb            |  7 +++++++
 config/initializers/secret_token.rb | 29 ++++++++++++++++++++++++++++-
 3 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index ee8a8eb..ab78e0a 100644
--- a/README.md
+++ b/README.md
@@ -124,21 +124,19 @@ rake errbit:bootstrap
 script/rails server
 ```
 
-**Deploying:**
+Deploying:
+----------
 
-  * Bootstrap Errbit. This will copy over config.yml and also seed the database.
-
-```bash
-rake errbit:bootstrap
-```
-
-  * Update the deploy.rb file with information about your server
+  * Copy `config/deploy.example.rb` to `config/deploy.rb`
+  * Update the `deploy.rb` or `config.yml` file with information about your server
   * Setup server and deploy
 
 ```bash
 cap deploy:setup deploy
 ```
 
+(Note: The capistrano deploy script will automatically generate a unique secret token.)
+
 **Deploying to Heroku:**
 
   * Clone the repository
@@ -155,6 +153,7 @@ heroku create example-errbit --stack cedar
 heroku addons:add mongolab:starter
 heroku addons:add sendgrid:starter
 heroku config:add HEROKU=true
+heroku config:add SECRET_TOKEN="$(bundle exec rake secret)"
 heroku config:add ERRBIT_HOST=some-hostname.example.com
 heroku config:add ERRBIT_EMAIL_FROM=example@example.com
 git push heroku master
diff --git a/config/deploy.example.rb b/config/deploy.example.rb
index a9f7730..e5a1df0 100644
--- a/config/deploy.example.rb
+++ b/config/deploy.example.rb
@@ -56,6 +56,12 @@ namespace :errbit do
     run "mkdir -p #{shared_configs}"
     run "if [ ! -f #{shared_configs}/config.yml ]; then cp #{latest_release}/config/config.example.yml #{shared_configs}/config.yml; fi"
     run "if [ ! -f #{shared_configs}/mongoid.yml ]; then cp #{latest_release}/config/mongoid.example.yml #{shared_configs}/mongoid.yml; fi"
+
+    # Generate unique secret token
+    run %Q{if [ ! -f #{shared_configs}/secret_token.rb ]; then
+      cd #{current_release};
+      echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > #{shared_configs}/secret_token.rb;
+    fi}.compact
   end
 
   task :symlink_configs do
@@ -64,6 +70,7 @@ namespace :errbit do
     release_configs = File.join(release_path,'config')
     run("ln -nfs #{shared_configs}/config.yml #{release_configs}/config.yml")
     run("ln -nfs #{shared_configs}/mongoid.yml #{release_configs}/mongoid.yml")
+    run("ln -nfs #{shared_configs}/secret_token.rb #{release_configs}/initializers/secret_token.rb")
   end
 end
 
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 469bac8..68449ac 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -4,5 +4,32 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] || '6b74778101638fa9c156b3928c9492fb2481ab842538bea838d21f9c9993f649f5806449584266d413d0b2f1104162b3066a86512ed71ededd627cd41f939614'
 
+# Everyone can share the same token for development/test
+if %w(development test).include? Rails.env
+  Errbit::Application.config.secret_token = 'f258ed69266dc8ad0ca79363c3d2f945c388a9c5920fc9a1ae99a98fbb619f135001c6434849b625884a9405a60cd3d50fc3e3b07ecd38cbed7406a4fccdb59c'
+else
+
+  if ![nil, ''].include?(ENV['SECRET_TOKEN'])
+    Errbit::Application.config.secret_token = ENV['SECRET_TOKEN']
+
+  else
+    raise <<-ERROR
+
+  You must generate a unique secret token for your Errbit instance.
+
+  If you are deploying via capistrano, please ensure that your `config/deploy.rb` contains
+  the new `errbit:setup_configs` and `errbit:symlink_configs` tasks from `config/deploy.example.rb`.
+  Next time you deploy, your secret token will be automatically generated.
+
+  If you are deploying to Heroku, please run the following command to set your secret token:
+      heroku config:add SECRET_TOKEN="$(bundle exec rake secret)"
+
+  If you are deploying in some other way, please run the following command to generate a new secret token,
+  and commit the new `config/initializers/secret_token.rb`:
+
+      echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > config/initializers/secret_token.rb
+
+  ERROR
+  end
+end
--
libgit2 0.21.2