Compatibility break with rails 5.2 rc1
a2p0 opened this issue · comments
Since rails 5.2 doesn't generate secret.yml but credentials.yml.enc on rails new command, knock is not able to generate token anymore.
rails c
> auth_user = Fabricate :user
=> #<User id: 1, email: "valid@email", password_digest: "$2a$10...
> token = Knock::AuthToken.new(payload: { sub: auth_user.id }).token
Traceback (most recent call last):
2: from (irb):2
1: from (irb):2:in `new'
TypeError (no implicit conversion of nil into String)
Secret generation is no longer available after app initialization
rails secrets:setup
Encrypted secrets is deprecated in favor of credentials. Run:
bin/rails credentials:help
Tried to configure knock initializer
config.token_secret_signature_key = -> { Rails.application.credentials }
#
TypeError (can't convert ActiveSupport::EncryptedConfiguration to String (ActiveSupport::EncryptedConfiguration#to_str gives NilClass))
Patched with manually add secrets.yml to the app/config folder.
> token = Knock::AuthToken.new(payload: { sub: auth_user.id }).token
=> "eyJ0eXAiOiJ...
Is there a way to configure knock with credentials.yml.enc ?
You need to use
config.token_secret_signature_key = -> { Rails.application.credentials.read }
Yes it works. Thanks @mkhanal!
It seems that I had to investigate one step further...
I think what you actually want is Rails.application.credentials.fetch(:secret_key_base)
This config.token_secret_signature_key = -> { Rails.application.credentials.secret_key_base }
worked for me. Don't forget to restart rails serve
For newbies wondering where to put this - Put it here #config/initalizers/knock.rb
I think you're supposed to use Rails.application.secret_key_base
, when I tried with credentials
, it was using my production secret key base (okay, we had overridden it in prod, but you'll notice it's not the default dev / test secret key, which is derived from the app name:
$ bin/rails runner 'pp credentials: Rails.application.credentials.secret_key_base, app: Rails.application.secret_key_base, derived: Digest::MD5.hexdigest(Rails.application.class.name)'
Here's the relevant code, note that it only uses the credentials file / environment variable when it's in prod: https://github.com/rails/rails/blob/d7f48c9c39befaf23ccd63e0248a3bd5bf295ee5/railties/lib/rails/application.rb#L428-L436
Adding RAILS_MASTER_KEY
with the key in master.key
as an environmental variable in CircleCI fixed it for me.