Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Add support for Rails 4.1 secrets. #2835

Merged
merged 1 commit into from

4 participants

@lucasmazza
Owner

This is a first spike for that @josevalim proposed on #2821. Upgrade existing apps will be simple - developers just need to move their keys to the secrets.yml - but on fresh apps its required to add the secret_key key manually. We could still generate a token inside the initializer as a fallback (so the app can boot without this step) or figure out an automatic way of placing the token on the application configuration.

@josevalim
Owner

Nice! A couple things:

  1. Pepper exists only for backwards compatibility, I would not include it
  2. We can re-use the app secret from Rails by default since from Rails 4.1 we derive secrets from the same key

So I guess we can read Rails secret by default and leave config.secret_key for people that come from previous Rails versions where they have a different secret than the rails one (and if they want, they can store their devise secret it in config/secrets.yml themselves).

What do you think?

@lucasmazza lucasmazza Read the `secret_key` value from Rails `secret_key_base`.
It is possible to override this by setting the `secret_key` manually
on the `devise.rb` initializer on your application.
eba91e6
@lucasmazza
Owner

@josevalim just updated the PR with the new approach: the secret_key_base will be reused on 4+ apps as our secret_key.

@josevalim
Owner

:heart: :green_heart: :blue_heart: :yellow_heart: :purple_heart:

@josevalim
Owner

:shipit:

@josevalim josevalim merged commit 7a9ae13 into master
@josevalim josevalim deleted the secrets branch
@arthurnn arthurnn referenced this pull request in errbit/errbit
Merged

update configs for rails 4.1 #778

@redbar0n

With the if-condition in devise.rb I got this error:

/.rvm/gems/ruby-2.0.0-p247/gems/activesupport-3.2.13/lib/active_support/dependencies.rb:245:in `load': /Users/Magne/Workspace/bloggery/config/initializers/devise.rb:9: syntax error, unexpected '<' (SyntaxError)
<% if rails_4? -%>
^
/projectname/config/initializers/devise.rb:9: syntax error, unexpected tFID, expecting keyword_end
<% if rails_4? -%>
^

So it doesn't seem to be as backwards compatible as intended.

I fixed it and submitted this pull request: #3451

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 22, 2014
  1. @lucasmazza

    Read the `secret_key` value from Rails `secret_key_base`.

    lucasmazza authored
    It is possible to override this by setting the `secret_key` manually
    on the `devise.rb` initializer on your application.
This page is out of date. Refresh to see the latest.
View
6 CHANGELOG.md
@@ -1,3 +1,9 @@
+### Unreleased
+
+* enhancements
+ * Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`.
+ You can change this and use your own secret by changing the `devise.rb` initializer.
+
### 3.2.2
* bug fix
View
8 lib/devise/rails.rb
@@ -29,7 +29,13 @@ class Engine < ::Rails::Engine
end
end
- initializer "devise.secret_key" do
+ config.after_initialize do |app|
+ if app.respond_to?(:secrets)
+ Devise.secret_key ||= app.secrets.secret_key_base
+ elsif app.config.respond_to?(:secret_key_base)
+ Devise.secret_key ||= app.config.secret_key_base
+ end
+
Devise.token_generator ||=
if secret_key = Devise.secret_key
Devise::TokenGenerator.new(
View
4 lib/generators/devise/install_generator.rb
@@ -20,6 +20,10 @@ def copy_locale
def show_readme
readme "README" if behavior == :invoke
end
+
+ def rails_4?
+ Rails::VERSION::MAJOR == 4
+ end
end
end
end
View
4 lib/generators/templates/devise.rb
@@ -4,7 +4,11 @@
# The secret key used by Devise. Devise uses this key to generate
# random tokens. Changing this key will render invalid all existing
# confirmation, reset password and unlock tokens in the database.
+<% if rails_4? -%>
+ # config.secret_key = '<%= SecureRandom.hex(64) %>'
+<% else -%>
config.secret_key = '<%= SecureRandom.hex(64) %>'
+<% end -%>
# ==> Mailer Configuration
# Configure the e-mail address which will be shown in Devise::Mailer,
Something went wrong with that request. Please try again.