Merge pull request #356 from pdostal/dotenv

Fix secret_token vulnerability #296
nukomeet · Dec 20, 2014 · 3eb2c76 · 3eb2c76
2 parents 9a9f17c + 2b51fdf
commit 3eb2c76
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 5 deletions.
diff --git a/.env.example b/.env.example
@@ -0,0 +1,2 @@
+# `rake secret`
+SECRET_TOKEN=
diff --git a/.gitignore b/.gitignore
@@ -76,3 +76,4 @@ db/*.sqlite3
 
 #zeus
 zeus.json
+.env
diff --git a/Gemfile b/Gemfile
@@ -70,3 +70,4 @@ gem 'omniauth-linkedin'
 gem 'linkedin'
 gem 'rinku'
 gem 'has_scope'
+gem 'dotenv-rails'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -88,6 +88,8 @@ GEM
     diff-lcs (1.2.5)
     docile (1.1.3)
     dotenv (0.9.0)
+    dotenv-rails (0.9.0)
+      dotenv (= 0.9.0)
     email_spec (1.5.0)
       launchy (~> 2.1)
       mail (~> 2.2)
@@ -326,6 +328,7 @@ DEPENDENCIES
   database_cleaner
   devise
   devise_invitable
+  dotenv-rails
   email_spec
   execjs
   factory_girl_rails (>= 3.3.0)

diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ Happy contribution!
 
 Found a problem?
 
-First check that you are the only one to have spotted it by 
+First check that you are the only one to have spotted it by
 searching similar issues in the [issues list](https://github.com/nukomeet/coworfing/issues). If your issue is not listed, then create a bug report, with at least an explicit title and a descriptive text, the part of code posing a
 problem, and (it would be great) a unit test showing what goes wrong.
 
@@ -76,13 +76,13 @@ Then grab the code and deploy coworfing locally on your computer:
 
         bundle install
 
-- create a postgres user for the app 
-        
+- create a postgres user for the app
+
         su - postgres
         psql
         create role coworfing with createdb login password 'yourpassword';
 
-- you may have to edit your pg_hba.conf to be able to log to your database. [More details here](http://stackoverflow.com/questions/17443379/psql-fatal-peer-authentication-failed-for-user-dev). 
+- you may have to edit your pg_hba.conf to be able to log to your database. [More details here](http://stackoverflow.com/questions/17443379/psql-fatal-peer-authentication-failed-for-user-dev).
 
 - run
 
@@ -92,6 +92,12 @@ Then grab the code and deploy coworfing locally on your computer:
 
         RAILS_ENV=test rake db:create db:schema:load
 
+- you have to create `SECRET_TOKEN` for verifying the integrity of signed cookies
+
+        rake secret
+
+- finaly put your token to `.env` as `SECRET_TOKEN=###` (see `.env.example`)
+
 
 Coworfing is now deployed locally on your computer!
 

diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
@@ -4,4 +4,4 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Coworfing::Application.config.secret_token = '625da242c5021a36780e9657a31299ec6c84a621c7f9140a5bb5f02fbe316b6fadbdbfc296f0a985aeff08d4db0f410d08eaf64e7f0f5e468579118c7120776c'
+Coworfing::Application.config.secret_token = ENV['SECRET_TOKEN']