Skip to content
This repository has been archived by the owner on Aug 2, 2019. It is now read-only.

Not so much as a question: secret token #36

Open
frank0051 opened this issue Feb 2, 2013 · 3 comments
Open

Not so much as a question: secret token #36

frank0051 opened this issue Feb 2, 2013 · 3 comments

Comments

@frank0051
Copy link

So, I'm pretty new to Ruby on Rails and I've been attempting to get a demo of this up and running on Engine Yard. I forked the project, connected to it, have the app and DB instance running, but the deploy of HEAD keeps failing. The log says:

rake aborted!
SECRET_TOKEN environment variable must be set!

In various spots. So:

  1. what's the deal with this SECRET_TOKEN
  2. Any ideas what to do in Engine Yard? I tried to SSH in after following their instructions, but it gives me an error saying no address associated with name.

Appreciate any thoughts as to how to get this up and running so I can play around with it.

@tomwolfe
Copy link

I'm not sure about Engine Yard, but I was having trouble with pushing to heroku and found a solution: errbit/errbit#381

@sapid
Copy link

sapid commented Apr 3, 2013

Secret tokens are used by many web frameworks (including RoR, to my knowledge) for signing cookies (HMAC, I think) to prevent users from tampering with the data in them.

Without looking in to it directly (I'm not familiar with Engine Yard either), I think you should be able to solve your problem by running rake secret. Alternatively, you may also be able to solve it by putting something random in config/initializers/secret_token.rb (such as with #{ActiveSupport::SecureRandom.hex(64)}) so the file should look something like
Yourapp::Application.config.secret_token = '921b00fcfabe0368d70627020f3b4c969cfd9bdc2474f4040c1ae976f687014694beb5d36dfc0c41bac8ebde96a14fceaee228d6e34d8183c5d7cc99d310d4f9'

If setting $SECRET_TOKEN in your environment is an option, that should work, too.

Secret Tokens can't be included in the repository because then they aren't secret anymore; unfortunately, this is one of those things that you have to perform at install time instead.

@monfresh
Copy link
Member

@frank0051 Whenever you have sensitive information in your app, such as API keys, passwords, or secret tokens, it's recommended to store them in an environment variable. So, instead of having the actual secret token in the source code, you would replace it with ENV['SECRET_TOKEN'], as is done in this file: https://github.com/codeforamerica/opencounter/blob/master/config/initializers/secret_token.rb

For your app to know what the value of the environment variable is, you have to set it in your working environment. When you're using the app on your local machine, the easiest way to set environment variables is to use the figaro gem. It creates a local application.yml file for you where you can set all your env variables, and it automatically adds it to the .gitignore file so that it never gets committed to a public repository like GitHub. Alternatively, you can set environment variables from the command line from your app's directory by running this command:

export NAME_OF_ENV_VAR=value_of_env_var

For example, to set an env var for the secret token, generate a new random one:

rake secret

Then set it:

export SECRET_TOKEN=your_secret_token

where your_secret_token is the actual long string of characters that you got after running rake secret.

To check the value of the SECRET_TOKEN environment variable (only when you set it from the command line):

echo $SECRET_TOKEN

Before deploying an app to a hosting service like Heroku or Engine Yard, you have to set the environment variable on the production server first. On Heroku, you do it like this from the command line:

heroku config:set SECRET_TOKEN=your_secret_token

I'm not familiar with Engine Yard, so I don't know the exact command, but I'm sure there's a similar command you can run. Just search for "how to set an environment variable on Engine Yard" or something like that.

I hope this helps.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants