I am trying to create a Rails app under Phusion Passenger, and have run into the missing secret_key_base error. I have Googled this error and found no clear explanation of what the secret token/key is, how I set it, or what it's for -- only scraps here and there all assuming that I already know something else, making it impossible to really figure out what's going on. Nor do either of the two books I bought on Rails discuss this.
What is the secret token?
What is it for?
How do I set it upon creating a new app?
Secret token is a string with random characters which looks like this
82d58d3dfb18768b495n311eb8539edf5064784h1d58994679db8363ec241c745cef0b419bfe44d66cbf91a2f4e497d8f6b1ef1226e3f405b0d263a9617ac75e
when you create a new rails application, this token is created by default and stored here <application folder>/config/initializers/secret_token.rb. This token is used to verify the integrity of signed cookies (Any cookie set by your rails application is signed using this token)
Like I pointed out, its usually created in a new rails application, but if you face any issues with the tokens, you may try creating a new token and manually pasting it your secret_token.rb file. Use this command rake secret to create a new secret token.
Related
I am a noob at RoR, so forgive me if this is a stupid question.
I am trying to have user subscription form in my simple app.
I basically followed this guide to get it work
http://cheshireoctopus.github.io/blog/2014/01/23/mailchimp-plus-gibbon-plus-rails-create-a-basic-sign-up-form/
My code is working and I can signup with the form, however, I keep getting email from mailchimp telling me that my keep has been compromised. Sometimes I get this email after I try to send some test subscription, othertimes I just get it after I change my api key again.
I wanted to reach out to you to let you know that we had to disable an active API Key in your MailChimp account with the account name MYACCOUNTNAME.
We were able to find your API Key posted publicly, which gives someone full access to your account. Since it's been disabled, we don't recommend re-enabling it. Instead, you'll need to generate a new API Key in your account.
Am I suppose to somehow encrypt my key or something? Btw, my app is on Heroku. So How do I stop my keys from being disabled?
You probably host your code on github, and, as the repository is public, even google robots can index it. Scammers can use your credentials as well.
There is nothing bad hosting repository on github, though. Just use environment variables instead of storing the credentials in the code.
config/initializers/gibbon.rb:
Gibbon::API.api_key = ENV[:api_key]
To set environment variable on heroku:
heroku config:set api_key=<your key>
Okay I have figured this out.
For production environment(heroku), I followed the solution that roman provided above.
for my local enviroment, I installed Figaro Gem, which basically keeps my api key secret in an application.yml file in the config folder. It works greate.
https://github.com/laserlemon/figaro
here is my gibbon.rb initilizer file incase anyone is wondering
if Rails.env.development?
Gibbon::API.api_key = ENV["MC_key"]
end
if Rails.env.production?
Gibbon::API.api_key = ENV[:api_key]
end
Gibbon::API.timeout = 15
Gibbon::API.throws_exceptions = false
Where MC_Key is the variable in my application.yml and :api_key is the ENV in heroku.
hope this helps others!
I'm trying to set up some simple security rules for my Firebase (essentially, any authorized user can read/write), which I'm using with a Rails application that uses Devise for user-authentication. However, I'm having trouble understanding how the process of generating tokens work.
I found the Ruby gem here:
https://github.com/firebase/firebase-token-generator-ruby
However, I'm not sure where I'm supposed to put this snippet of Ruby code:
require "firebase_token_generator"
arbitraryAuthPayload = {:auth_data => "foo", :other_auth_data => "bar"}
generator = Firebase::FirebaseTokenGenerator.new("<YOUR_FIREBASE_SECRET>")
token = generator.create_token(arbitraryAuthPayload)
Do I just put it in an initializer along with a variable for user_id?
Also, I saw that tokens expire after 24 hours. Does that mean this token generator will automatically generate a new token for each client with an expired token?
Thanks
If the clients need to read/write from Firebase directly they will need to have that token to auth to Firebase before they can, so it would probably be a good idea to generate a token wherever you're handling user authentication / initialization.
As you mentioned, the default session length is 24 hours, so after that they will need a new token. You can specify a different expiry time using a second options parameter with an :expires key to the create_token method as mentioned in the README to any future date. That way you can set it for say 30 days in the future, or whatever your normal session length is, or you could create an endpoint that returns a valid token and handle the expiration gracefully on the frontend.
If the ruby server is the only thing accessing Firebase, things are a little easier - you could just create a server token once and allow it read/write access to the whole Firebase
In secret_token.rb under rails initializers, there is secret token appearing as a string of random chars and numbers which must be 30 chars or longer. For max security, does this secret token have to be unique for each and every rails app deployed? We plan to use a rails template which may have the same secret token for every app developed from the same template. Thanks so much.
Yesterday I was reading an article about security, and I believe it is important to ensure the uniqueness of your secret_token.
You can use any previous project as template (everybody does that), but for security reasons you should generate a new secret_token.
In this article, they explain how to generate a new secret_token through the vegas-gem. I haven't tried yet....
Also take a look in the links below:
Ruby on Rails config.secret_token error
when you have secret key in your project, how can pushing to GitHub be possible?
I Hope it helps...
I'm quite confused what is secret_token used for in Rails. Can anyone explain what it is used for? Is it OK to put this token in a public source repository and use it in production, or I should change it before deploying my app to prevent some kinds of attacks?
Answering my own question - secret_token is used to prevent cookie tampering in Rails. Every cookie has a checksum saved with it, so users won't modify cookie contents (and change saved user id to steal someone's account, for example). The checksum is based on cookie contents and secret_token, so if you are using cookie based sessions you should always make sure your secret_token is really secret, otherwise you can't trust that anything you put into session came back unchanged.
I've got a Rails app that's been running live for some time, and I'm planning to open source it in the near future. I'm wondering how dangerous it is to leave the session key store secret in source control while the app is live.
If it's dangerous, how do people usually handle this problem? I'd guess that it's easiest to just move the string to a text file that's ignored by the SCM, and read it in later.
Just for clarity, I'm talking about this:
# Your secret key for verifying cookie session data integrity.
# If you change this key, all old sessions will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
ActionController::Base.session = {
:key => '_application_session',
:secret => '(long, unique string)'
}
And while we're on the subject, is there anything else in a default Rails app that should be protected when open sourcing a live app?
Flip the question around. Would you reuse a secret key from someone else's project that you just downloaded? Probaby not, and other smart users of your code won't either. Malicious users will then have a key to use as an attack in your main site, as well as against any users lazy enough to not change the key.
Other config files you might have which should not be shared include database.yml, s3.yml, amazon_s3.yml, etc. If you wouldn't mail it to a stranger, don't keep it in your scm when you unleash your code to the world.
I'd put this into a config file. You'll probably have the need for some config settings anyway, so why don't you put it there and add a comment that this should be modified when the user installs the software.
Some sample code and some experiences on working with existing sessions if you are updating an already existing application can be found at Michael Hartl's blog post Security issue with Rails secret session keys.