Im using http auth in a rails app and I need to use .env files in order to keep my passwords secure.
I know I need use them and the .gitignore and .env file to do this, but I have no idea how to?
You can use dotenv gem to save environment variables in .env. I think it's pretty easy to start.
Related
With .env files, it was easy to inject variables in webpacker js packs. Since 5.2, you can use the encrypted secrets, but is there a way to read (decrypt) them in inject some of them on webpacker build time?
You can read from credentials and pass that value to Webpacker.
Create a config/initializers/webpacker.rb file.
Pass it to the Webpacker::Compiler through file above.
Webpacker::Compiler.env['VALUE'] = Rails.application.credentials.dig(:value)
Read it as console.log(process.env.VALUE).
If you want to try it on development, you need to add these to the bin/webpack-dev-server:
require_relative '../config/application'
Rails.application.initialize!
Sources:
http://translate.google.com/translate?hl=&sl=ja&tl=en&u=https%3A%2F%2Fqiita.com%2Ftakeyuweb%2Fitems%2F61e6ba07fe0df3079041
https://github.com/rails/webpacker/issues/2794
https://github.com/rails/webpacker/blob/830f47695ea3f40dcbab5ee117769ab67b96af36/docs/env.md
I updated my Rails app from 5.1.6 to 5.2.1 and we were using secrets before. We'd like to switch to credentials since it was supposed to replace secrets. There are a couple of things I'm wondering:
1) Is there a "Railsy" way to do this? I'm aware I can just edit the secrets and copy the contents over to the credentials but I'm not sure if that's the right way to do it since I couldn't find anything that talks about this. Also, I tried copy the encrypted content from secrets.yml.enc and paste it to credentials.yml.enc but that didn't work, ran into some issues with the encryption.
2) Related to the first point, am I supposed to still be able to use secrets in 5.2.1? I thought credentials was supposed to replace secrets so I was surprised I could still use secrets and all my tests are passing.
Thanks for any info or help on this!
Backup your config/secrets.yml. Scaffold a temporary vanilla Rails 5.2.1 project via rails new. Copy config/master.key and config/credentials.yml.enc from it to your existing Rails project. Edit these credentials e.g in Ubuntu via:
EDITOR="gedit --wait" bin/rails credentials:edit
Replace the secret_key_base (new flat format prefered, optional for all environments) from the old secrets.yml and / or paste whatever else you need as a secret into it and save it. Delete config/secrets.yml and the temporary Rails project. Access the secrets in your code e.g. via:
Rails.application.credentials.secret_key_base
Ensure that your upgraded Rails 5.1.6 project use the master key in config/environments/*.rb:
Rails.application.configure do
...
config.require_master_key = true
...
end
Restart the Rails server. Do'nt forget to .gitignore and .dockerignore the config/master.key!
When installing Figaro gem, an application.yml is automatically created. And inside this file I planned on storing login credentials for SendGrid.
But by default in the rails application, there is another secrets.yml file, with the secret_key_base.
I'm little confused on their relationship.
My question: Is it necessary to have both? Can I combine them? Should both be added to gitignore ?
You can leave it there as it is, just put the new variables to the application.yml and make sure you gitignore both files since you need those only for localhost. For production you have to put the keys to a different place based on the service. I'm using heroku and have to save production variables from terminal.
With the release of the secrets.yml file, I removed my reliance on Figaro and moved all of my keys to secrets.yml and added that file to .gitignore.
But when I tried to push to Heroku, Heroku said they needed that file in my repo in order to deploy the website. which makes sense, but I don't want my keys in git if I can avoid it.
With Figaro, I would run a rake task to deploy the keys to heroku as env variables and keep application.yml in the .gitignore. Obviously, I can't do that any more. So how do I handle this?
Secrets isn't a full solution to the environment variables problem and it's not a direct replacement for something like Figaro. Think of Secrets as an extra interface you're now supposed to use between your app and the broader world of environment variables. That's why you're now supposed to call variables by using Rails.application.secrets.your_variable instead of ENV["your_variable"].
The secrets.yml file itself is that interface and it's not meant to contain actual secrets (it's not well named). You can see this because, even in the examples from the documentation, Secrets imports environment variables for any sensitive values (e.g. the SECRET_KEY_BASE value) and it's automatically checked into source control.
So rather than trying to hack Secrets into some sort of full-flow environment variable management solution, go with the flow:
Pull anything sensitive out of secrets.yml.
Check secrets.yml into source control like they default you to.
For all sensitive values, import them from normal environment variables into secrets ERB (e.g. some_var: <%= ENV["some_var"] %>)
Manage those ENV vars as you normally would, for instance using the Figaro gem.
Send the ENV vars up to Heroku as you normally would, for instance using the Figaro gem's rake task.
The point is, it doesn't matter how you manage your ENV vars -- whether it's manually, using Figaro, a .env file, whatever... secrets.yml is just an interface that translates these ENV vars into your Rails app.
Though it adds an extra step of abstraction and some additional work, there are advantages to using this interface approach.
Whether you believe it's conceptually a good idea or not to use Secrets, it'll save you a LOT of headache to just go with the flow on this one.
PS. If you do choose to hack it, be careful with the heroku_secrets gem. As of this writing, it runs as a before_initialize in the startup sequence so your ENV vars will NOT be available to any config files in your config/environments/ directory (which is where you commonly would put them for things like Amazon S3 keys).
An equivalent for secrets.yml of that Figaro task is provided by the heroku_secrets gem, from https://github.com/alexpeattie/heroku_secrets:
gem 'heroku_secrets', github: 'alexpeattie/heroku_secrets'
This lets you run
rake heroku:secrets RAILS_ENV=production
to make the contents of secrets.yml available to heroku as environment variables.
see this link for heroku settings
if u want to run on local use like this
KEY=xyz OTHER_KEY=123 rails s
The Heroku docs suggest one way of managing config vars: http://devcenter.heroku.com/articles/config-vars
I guess this works well for API keys, but seems clunky for other environment config info.
Are there any recommendations or better ways of doing this?
Thanks
I haven't ever found it clunky - but use heroku config vars for API keys and stuff which I don't want committed into a git repo and the relevant environment .rb file for application config stuff specific to each environment.
You can always https://github.com/fastestforward/heroku_san which lets you set config vars in a yml file which can be run against an app to set the vars without having to do it via the CLI
figaro is another gem which help us to manage this stuff.