From 7ec39aa4d1fcdcc0b6b5b5d18fa14ffc2d338925 Mon Sep 17 00:00:00 2001 From: Reinier Balt Date: Tue, 7 May 2013 09:21:22 +0200 Subject: [PATCH] Use setting from stie.yml instead of hardcoded secret token Fallback to randomly generated token, which is fine for development and test mode. (Sessions will be invalidated when the server reboots) Thanks @brynary --- config/initializers/secret_token.rb | 2 +- config/site.yml.tmpl | 45 +++++++++++++++++++---------- 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index 40e49e58..7dd98da6 100644 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -4,4 +4,4 @@ # If you change this key, all old signed cookies will become invalid! # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. -Tracksapp::Application.config.secret_token = '978c88b98f3b7885b2e88a831545bd3c5d80d0f528b32096dafa7dc9010b2180e2391c059c5347a244709a2257e3d13f0841fbdc56e8052af3c3396916b5805b' +Tracksapp::Application.config.secret_token = SITE_CONFIG["secret_token"] || SecureRandom.hex(64) \ No newline at end of file diff --git a/config/site.yml.tmpl b/config/site.yml.tmpl index 892046b1..1ee2094a 100644 --- a/config/site.yml.tmpl +++ b/config/site.yml.tmpl @@ -8,12 +8,9 @@ authentication_schemes: - "database" -#set the prefered authentication scheme to display first on the login page -#prefered_auth: database - - -# You''ll probably want to change this to the time zone of the computer where Tracks is running -# run rake time:zones:local have Rails suggest time zone names on your system +# You'll probably want to change this to the time zone of the computer where +# Tracks is running. Run rake time:zones:local have Rails suggest time zone +# names on your system time_zone: "UTC" @@ -21,19 +18,33 @@ time_zone: "UTC" secure_cookies: false -# Uncomment if you want to dispatch todos that come from email based on the To: address -# rather than the From: address. +# Your secret key for verifying the integrity of signed cookies. +# If you change this key, all old signed cookies will become invalid! +# Make sure the secret is at least 30 characters and all random, +# no regular words or you'll be exposed to dictionary attacks. +# +# if you want a nice random key, run this in rails console and copy-and-paste +# the result: +# +# SecureRandom.hex(64) +# +secret_token: "change-me" + + +# Uncomment if you want to dispatch todos that come from email based on the To: +# address rather than the From: address. # email_dispatch: 'to' -# If you want to send all email to a specific user, uncomment the following line and -# set the environment variable TRACKS_MAIL_RECEIVER to the login name of the user that -# will receive all email + +# If you want to send all email to a specific user, uncomment the following line +# and set the environment variable TRACKS_MAIL_RECEIVER to the login name of the +# user that will receive all email # email_dispatch: 'single_user' -# Set this to the subdirectory you're hosting tracks in and uncomment if applicable -# NOTE: you will also need to set up your web server to deal with the relative -# URL. Mongrel, for example, has a --prefix option. +# Set this to the subdirectory you're hosting tracks in and uncomment if +# applicable. NOTE: you will also need to set up your web server to deal with +# the relative URL. Mongrel, for example, has a --prefix option. # subdir: "/tracks" @@ -41,11 +52,13 @@ secure_cookies: false open_signups: false -# When integrating your tracks instance with http://cloudmailin.com/ by using the /integrations/cloudmailin URL, -# this value is the cloudmailin-secret for verifying the authenticity of the request. +# When integrating your tracks instance with http://cloudmailin.com/ by using +# the /integrations/cloudmailin URL, this value is the cloudmailin-secret for +# verifying the authenticity of the request. # (see http://docs.cloudmailin.com/validating_the_sender) # cloudmailin: asdasd + # change this to reflect the email address of the admin that you want to show # on the signup page admin_email: my.email@domain.com \ No newline at end of file