Compatibility break with rails 5.2 rc1

Question

Compatibility break with rails 5.2 rc1

a2p0 opened this issue 6 years ago · comments

Since rails 5.2 doesn't generate secret.yml but credentials.yml.enc on rails new command, knock is not able to generate token anymore.

rails c
> auth_user = Fabricate :user
=> #<User id: 1, email: "valid@email", password_digest: "$2a$10...
> token = Knock::AuthToken.new(payload: { sub: auth_user.id }).token
Traceback (most recent call last):
        2: from (irb):2
        1: from (irb):2:in `new'
TypeError (no implicit conversion of nil into String)

Secret generation is no longer available after app initialization

rails secrets:setup
Encrypted secrets is deprecated in favor of credentials. Run:
bin/rails credentials:help

Tried to configure knock initializer

  config.token_secret_signature_key = -> { Rails.application.credentials }
#
 TypeError (can't convert ActiveSupport::EncryptedConfiguration to String (ActiveSupport::EncryptedConfiguration#to_str gives NilClass))

Patched with manually add secrets.yml to the app/config folder.

> token = Knock::AuthToken.new(payload: { sub: auth_user.id }).token
 => "eyJ0eXAiOiJ...

Is there a way to configure knock with credentials.yml.enc ?

Mridul Khanal · Answer 1 · Mon Feb 19 2018 13:48:20 GMT+0800 (China Standard Time)

You need to use
config.token_secret_signature_key = -> { Rails.application.credentials.read }

Affranchi2.0 · Answer 2 · Tue Feb 20 2018 03:03:26 GMT+0800 (China Standard Time)

Yes it works. Thanks @mkhanal!
It seems that I had to investigate one step further...

Steve · Answer 3 · Wed May 09 2018 13:31:36 GMT+0800 (China Standard Time)

I think what you actually want is Rails.application.credentials.fetch(:secret_key_base)

maru · Answer 4 · Thu Jul 05 2018 18:53:10 GMT+0800 (China Standard Time)

@stevepm 's method worked with rails 5.2.
Thanks!

Austine A. · Answer 5 · Mon Oct 08 2018 15:57:45 GMT+0800 (China Standard Time)

This config.token_secret_signature_key = -> { Rails.application.credentials.secret_key_base } worked for me. Don't forget to restart rails serve

For newbies wondering where to put this - Put it here #config/initalizers/knock.rb

Josh Cheek · Answer 6 · Tue Oct 30 2018 07:50:02 GMT+0800 (China Standard Time)

I think you're supposed to use Rails.application.secret_key_base, when I tried with credentials, it was using my production secret key base (okay, we had overridden it in prod, but you'll notice it's not the default dev / test secret key, which is derived from the app name:

$ bin/rails runner 'pp credentials: Rails.application.credentials.secret_key_base, app: Rails.application.secret_key_base, derived: Digest::MD5.hexdigest(Rails.application.class.name)'

Here's the relevant code, note that it only uses the credentials file / environment variable when it's in prod: https://github.com/rails/rails/blob/d7f48c9c39befaf23ccd63e0248a3bd5bf295ee5/railties/lib/rails/application.rb#L428-L436

Chibueze Nelson Ayogu · Answer 7 · Mon Feb 11 2019 16:11:20 GMT+0800 (China Standard Time)

Adding RAILS_MASTER_KEY with the key in master.key as an environmental variable in CircleCI fixed it for me.