简体   繁体   English

如何使用secrets.yml在Rails 4.1中动态生成秘密令牌?

[英]How to dynamically generate secret tokens in Rails 4.1 with secrets.yml?

New to rails. 新的铁路。 Followed Hartl's tutorial where he uses this code to dynamically generate secret token for config/initializers/secret_token.rb 按照Hartl的教程,他使用此代码动态生成config / initializers / secret_token.rb的秘密令牌

require 'securerandom'

def secure_token
  token_file = Rails.root.join('.secret')
  if File.exist?(token_file)
    # Use the existing token.
    File.read(token_file).chomp
  else
    # Generate a new token and store it in token_file.
    token = SecureRandom.hex(64)
    File.write(token_file, token)
    token
  end
end

SampleApp::Application.config.secret_key_base = secure_token

I'm trying to follow the new Rails 4.1 way by using secrets.yml, and delete the secret_token.rb: 我试图通过使用secrets.yml来遵循新的Rails 4.1方式,并删除secret_token.rb:

development:
  secret_key_base: 79c1389c2fadc5a5a1918a5104ab34eb700c

test:
  secret_key_base: fdb4edcde14173d62963705ca4d7876b5307790924

production:
  secret_key_base: 85172605030a8225c083d886d066da2cb4aac1f0

But I think you cannot run ruby script like the one in secret_token.rb in a yml file. 但我认为你不能像yml文件中的secret_token.rb那样运行ruby脚本。 How would you have rails dynamically generate the secret tokens in secret. 你将如何让rails以秘密方式动态生成秘密令牌。 How should this be done? 该怎么做? What is best practice? 什么是最佳做法?

Given a function secret_token whose only job is to generate a new token string each time one's application accesses the secrets.yml file, cookies and most likely other session-like behavior will not work correctly as the secret token changes each call to the function. 给定一个函数secret_token,其唯一的工作是每次一个应用程序访问secrets.yml文件时生成一个新的令牌字符串,cookie和很可能其他类似会话的行为将无法正常工作,因为秘密令牌会更改对函数的每次调用。

The preferred & secure way is to use any old secret key in the secrets.yml file for development and test environments (you can generate a secret string by issuing rake secret on the command line), then use an environment variable that your production server knows, so the secrets.yml file looks like: 首选和安全的方法是使用secrets.yml文件中的任何旧密钥用于开发和测试环境(您可以通过在命令行上发出rake secret来生成秘密字符串),然后使用生产服务器知道的环境变量,所以secrets.yml文件看起来像:

production:
 secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

For example, on Heroku, use heroku config:set SECRET_KEY_BASE="insert key here" to set the environment variable and there you have it. 例如,在Heroku上,使用heroku config:set SECRET_KEY_BASE="insert key here"来设置环境变量,并在那里设置它。 Don't be afraid to check the secrets.yml file into scm...as long as you haven't saved your production key to the file (and are instead using the environment variable method I just described), checking the file into scm poses no threat. 不要害怕将secrets.yml文件检入scm ...只要你没有将生产密钥保存到文件中(而是使用我刚才描述的环境变量方法),将文件检入scm没有威胁。

You can actually run ERB code in YML files. 您实际上可以在YML文件中运行ERB代码。 Something like: 就像是:

development:
  secret_key_base: <%= secret_token %>

should work (if whatever process reads the YML file can access the secure_token method). 应该工作(如果任何进程读取YML文件可以访问secure_token方法)。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM