Ensure each Errbit deployment has a unique secret token

Otherwise cookies can be hijacked.

Ensure each Errbit deployment has a unique secret token
Otherwise cookies can be hijacked.
Nathan Broadbent
1 parent 879d75fb
Showing 3 changed files with 42 additions and 9 deletions Show diff stats
README.md
config/deploy.example.rb
config/initializers/secret_token.rb
@@ -124,21 +124,19 @@ rake errbit:bootstrap
 script/rails server
 ```
-**Deploying:**
+Deploying:
+----------
-  * Bootstrap Errbit. This will copy over config.yml and also seed the database.
-
-```bash
-rake errbit:bootstrap
-```
-
-  * Update the deploy.rb file with information about your server
+  * Copy `config/deploy.example.rb` to `config/deploy.rb`
+  * Update the `deploy.rb` or `config.yml` file with information about your server
   * Setup server and deploy
 ```bash
 cap deploy:setup deploy
 ```
+(Note: The capistrano deploy script will automatically generate a unique secret token.)
+
 **Deploying to Heroku:**
   * Clone the repository
@@ -155,6 +153,7 @@ heroku create example-errbit --stack cedar
 heroku addons:add mongolab:starter
 heroku addons:add sendgrid:starter
 heroku config:add HEROKU=true
+heroku config:add SECRET_TOKEN="$(bundle exec rake secret)"
 heroku config:add ERRBIT_HOST=some-hostname.example.com
 heroku config:add ERRBIT_EMAIL_FROM=example@example.com
 git push heroku master
@@ -56,6 +56,12 @@ namespace :errbit do
     run "mkdir -p #{shared_configs}"
     run "if [ ! -f #{shared_configs}/config.yml ]; then cp #{latest_release}/config/config.example.yml #{shared_configs}/config.yml; fi"
     run "if [ ! -f #{shared_configs}/mongoid.yml ]; then cp #{latest_release}/config/mongoid.example.yml #{shared_configs}/mongoid.yml; fi"
+
+    # Generate unique secret token
+    run %Q{if [ ! -f #{shared_configs}/secret_token.rb ]; then
+      cd #{current_release};
+      echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > #{shared_configs}/secret_token.rb;
+    fi}.compact
   end
   task :symlink_configs do
@@ -64,6 +70,7 @@ namespace :errbit do
     release_configs = File.join(release_path,'config')
     run("ln -nfs #{shared_configs}/config.yml #{release_configs}/config.yml")
     run("ln -nfs #{shared_configs}/mongoid.yml #{release_configs}/mongoid.yml")
+    run("ln -nfs #{shared_configs}/secret_token.rb #{release_configs}/initializers/secret_token.rb")
   end
 end
@@ -4,5 +4,32 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] || '6b74778101638fa9c156b3928c9492fb2481ab842538bea838d21f9c9993f649f5806449584266d413d0b2f1104162b3066a86512ed71ededd627cd41f939614'
+# Everyone can share the same token for development/test
+if %w(development test).include? Rails.env
+  Errbit::Application.config.secret_token = 'f258ed69266dc8ad0ca79363c3d2f945c388a9c5920fc9a1ae99a98fbb619f135001c6434849b625884a9405a60cd3d50fc3e3b07ecd38cbed7406a4fccdb59c'
+else
+
+  if ![nil, ''].include?(ENV['SECRET_TOKEN'])
+    Errbit::Application.config.secret_token = ENV['SECRET_TOKEN']
+
+  else
+    raise <<-ERROR
+
+  You must generate a unique secret token for your Errbit instance.
+
+  If you are deploying via capistrano, please ensure that your `config/deploy.rb` contains
+  the new `errbit:setup_configs` and `errbit:symlink_configs` tasks from `config/deploy.example.rb`.
+  Next time you deploy, your secret token will be automatically generated.
+
+  If you are deploying to Heroku, please run the following command to set your secret token:
+      heroku config:add SECRET_TOKEN="$(bundle exec rake secret)"
+
+  If you are deploying in some other way, please run the following command to generate a new secret token,
+  and commit the new `config/initializers/secret_token.rb`:
+
+      echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > config/initializers/secret_token.rb
+
+  ERROR
+  end
+end
	@@ -4,5 +4,32 @@		@@ -4,5 +4,32 @@
4	# If you change this key, all old signed cookies will become invalid!	4	# If you change this key, all old signed cookies will become invalid!
5	# Make sure the secret is at least 30 characters and all random,	5	# Make sure the secret is at least 30 characters and all random,
6	# no regular words or you'll be exposed to dictionary attacks.	6	# no regular words or you'll be exposed to dictionary attacks.
7	-Errbit::Application.config.secret_token = ENV['SECRET_TOKEN'] \|\| '6b74778101638fa9c156b3928c9492fb2481ab842538bea838d21f9c9993f649f5806449584266d413d0b2f1104162b3066a86512ed71ededd627cd41f939614'
8		7
		8	+# Everyone can share the same token for development/test
		9	+if %w(development test).include? Rails.env
		10	+ Errbit::Application.config.secret_token = 'f258ed69266dc8ad0ca79363c3d2f945c388a9c5920fc9a1ae99a98fbb619f135001c6434849b625884a9405a60cd3d50fc3e3b07ecd38cbed7406a4fccdb59c'
		11	+else
		12	+
		13	+ if ![nil, ''].include?(ENV['SECRET_TOKEN'])
		14	+ Errbit::Application.config.secret_token = ENV['SECRET_TOKEN']
		15	+
		16	+ else
		17	+ raise <<-ERROR
		18	+
		19	+ You must generate a unique secret token for your Errbit instance.
		20	+
		21	+ If you are deploying via capistrano, please ensure that your `config/deploy.rb` contains
		22	+ the new `errbit:setup_configs` and `errbit:symlink_configs` tasks from `config/deploy.example.rb`.
		23	+ Next time you deploy, your secret token will be automatically generated.
		24	+
		25	+ If you are deploying to Heroku, please run the following command to set your secret token:
		26	+ heroku config:add SECRET_TOKEN="$(bundle exec rake secret)"
		27	+
		28	+ If you are deploying in some other way, please run the following command to generate a new secret token,
		29	+ and commit the new `config/initializers/secret_token.rb`:
		30	+
		31	+ echo "Errbit::Application.config.secret_token = '$(bundle exec rake secret)'" > config/initializers/secret_token.rb
		32	+
		33	+ ERROR
		34	+ end
		35	+end