Skip to content

Switch Devise to use secret_key_base#196

Merged
tom93 merged 1 commit intomasterfrom
devise-secret-key
Dec 21, 2023
Merged

Switch Devise to use secret_key_base#196
tom93 merged 1 commit intomasterfrom
devise-secret-key

Conversation

@tom93
Copy link
Contributor

@tom93 tom93 commented Dec 21, 2023
edited
Loading

From the commit message:

Devise requires a secret key to generate random tokens.

Previously, our code set this to a hard-coded value by default, or to the value of a database setting (which must be created manually).

Devise 3.2.3 added support for using Rail's secret_key_base as the secret key[1]. This commit switches to that, since it's simpler and better than the previous behaviour.

Note that deploying this commit will invalidate all existing confirmation, reset password and unlock links.

(It appears that Devise's secret key is merely used to hash tokens before storing them in the database, presumably so that even someone with read access to the database wouldn't be able to get the real tokens. So it's not really important.)

This commit also removes an unrelated commented-out generated random value for config.pepper. A cryptographic pepper is supposed to be secret, so the value shouldn't be in the source code.

[1]: https://github.com/heartcombo/devise/blob/v3.2.3/CHANGELOG.md#323

Merge after #195, and preferably also after #193 (since the current dependency on devise is ~> 3.2.2, which is technically not new enough, even though the locked version is 3.2.4).

@tom93
Switch Devise to use secret_key_base
d415470 
Devise requires a secret key to generate random tokens.

Previously, our code set this to a hard-coded value by default, or to
the value of a database setting (which must be created manually).

Devise 3.2.3 added support for using Rail's secret_key_base as the
secret key[1]. This commit switches to that, since it's simpler and
better than the previous behaviour.

Note that deploying this commit will invalidate all existing
confirmation, reset password and unlock links.

(It appears that Devise's secret key is merely used to hash tokens
before storing them in the database, presumably so that even someone
with read access to the database wouldn't be able to get the real
tokens. So it's not really important.)

This commit also removes an unrelated commented-out generated random
value for config.pepper. A cryptographic pepper is supposed to be
secret, so the value shouldn't be in the source code.

[1]: https://github.com/heartcombo/devise/blob/v3.2.3/CHANGELOG.md#323
@tom93 tom93 marked this pull request as draft December 21, 2023 03:10
@tom93 tom93 marked this pull request as ready for review December 21, 2023 04:09
@tom93 tom93 merged commit a6bb1cd into master Dec 21, 2023
@tom93 tom93 deleted the devise-secret-key branch December 22, 2023 05:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Holmes98 Holmes98 Holmes98 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tom93 @Holmes98