From d03082680007d30b8883495c2ae5110daec14f71 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 22 Mar 2017 10:34:12 +0100 Subject: upgrade: use rails4s 'secret_key_base' This will get us encrypted cookies but also requires changes to the platform. fixes #23 --- CHANGES.md | 22 ++++++++++++++++++++-- README.md | 6 +++--- config/defaults.yml | 4 ++-- config/initializers/secret_token.rb | 14 ++++++++++---- 4 files changed, 35 insertions(+), 11 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index b36cd18..bedc412 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,8 +1,26 @@ +version 0.9 (unreleased) - rails 4, twitter feed and deprecations +---------------------------------------------------- + +We have a great contribution from the Rails Girls Summer of Code again! +The landing page of the webapp can now include a twitter feed to display +news from the provider. +Other than that this is a maintainance and transition release. + +* Twitter feed on main page (thanks theaamanda and lilaluca). +* upgrade to rails 4.2 + +Upgrading: + +* We now use rails 4's `secret_key_base`. Please make sure to supply it + in config/config.yml for production environments. If you are using the + leap platform that will already take care of it. + + version 0.8 - email and RGSoC ------------------------------------------ -This release focused on getting all the features needed for a complete -email provider and merging in the work done by Rails Girls Summer of +This release focused on getting all the features needed for a complete +email provider and merging in the work done by Rails Girls Summer of Code. * Support for invite codes: admins can require that new diff --git a/README.md b/README.md index 3d56344..11b7a38 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ There are a few values you should make sure to modify: admins: ["myusername","otherusername"] domain: example.net force_ssl: true - secret_token: "4be2f60fafaf615bd4a13b96bfccf2c2c905898dad34" + secret_key_base: "e1c04f93edb26b64040ba49f34084b03abbc286a7fbb60b5b0736bed2d9fe3ec5f16ef4253b252080f3c8b52e11541d57adc8eee6e4bd53f3b568aced3455106" client_ca_key: "./test/files/ca.key" client_ca_cert: "./test/files/ca.key" ca_key_password: nil @@ -125,8 +125,8 @@ There are a few values you should make sure to modify: * `force_ssl`, if set to true, will require secure cookies and turn on HSTS. Don't do this if you are using a self-signed server certificate. -* `secret_token`, used for cookie security, you can create one with - `rake secret`. Should be at least 30 characters. +* `secret_key_base`, used for cookie security, you can create one with + `rake secret`. Should be at least 64 bytes hex. * `client_ca_key`, the private key of the CA used to generate client certificates. diff --git a/config/defaults.yml b/config/defaults.yml index 7e2ea58..52ad571 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -122,7 +122,7 @@ development: monitor: nil admin: nil domain: example.org - secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + secret_key_base: "1a904c4222fe04548fbe7a3545c4d5210b0a31af1227cbbe304708cf08e5f3a4dffe56372c30aa5486bb8ad577bf86032e720c1513b61870dc1a480e813ffecd" reraise_errors: true test: @@ -138,7 +138,7 @@ test: allowed_ips: - 0.0.0.0 domain: test.me - secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + secret_key_base: "e1c04f93edb26b64040ba49f34084b03abbc286a7fbb60b5b0736bed2d9fe3ec5f16ef4253b252080f3c8b52e11541d57adc8eee6e4bd53f3b568aced3455106" reraise_errors: true billing: {} default_locale: :en diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index bdd9b1c..4a2e6d7 100644 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -5,8 +5,14 @@ # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. -if token = APP_CONFIG[:secret_token] - LeapWeb::Application.config.secret_token = token -else - raise StandardError.new("No secret_token defined in config/config.yml - please provide one.") +unless APP_CONFIG[:secret_key_base] or APP_CONFIG[:secret_token] + raise StandardError.new("No secret_key_base or secret_token defined in config/config.yml - please provide one.") +end + +if APP_CONFIG[:secret_key_base] + LeapWeb::Application.config.secret_key_base = APP_CONFIG[:secret_key_base] +end + +if APP_CONFIG[:secret_token] + LeapWeb::Application.config.secret_token = APP_CONFIG[:secret_token] end -- cgit v1.2.3