config: refactor secret_key_base initialization.

2019-12-13 04:20:06 -06:00
parent 6382aec85e
commit ddb0e4d3ce
4 changed files with 13 additions and 55 deletions
--- a/config/application.rb
+++ b/config/application.rb
@@ -33,6 +33,9 @@ module Danbooru
    config.plugins = [:all]
    config.time_zone = 'Eastern Time (US & Canada)'

+    raise "Danbooru.config.secret_key_base not configured" if Danbooru.config.secret_key_base.blank?
+    config.secret_key_base = Danbooru.config.secret_key_base
+
    if Danbooru.config.mail_delivery_method.to_sym == :smtp
      config.action_mailer.delivery_method = :smtp
      config.action_mailer.smtp_settings = Danbooru.config.mail_settings
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -1,5 +1,15 @@
 module Danbooru
  class Configuration
+    # A secret key used to encrypt session cookies, among other things. If this
+    # token is changed, existing login sessions will become invalid. If this
+    # token is stolen, attackers will be able to forge session cookies and
+    # login as any user.
+    #
+    # Must be specified. Use `rake secret` to generate a random secret token.
+    def secret_key_base
+      ENV["SECRET_TOKEN"].presence || File.read(File.expand_path("~/.danbooru/secret_token"))
+    end
+
    # The name of this Danbooru.
    def app_name
      if CurrentUser.safe_mode?
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -1,9 +0,0 @@
-require File.expand_path('../../state_checker', __FILE__)
-
-StateChecker.instance.check!
-
-Rails.application.config.action_dispatch.session = {
-  :key    => '_danbooru2_session',
-  :secret => StateChecker.instance.session_secret_key
-}
-Rails.application.config.secret_key_base = StateChecker.instance.secret_token
--- a/config/state_checker.rb
+++ b/config/state_checker.rb
@@ -1,46 +0,0 @@
-class StateChecker
-  include Singleton
-
-  def check!
-    ENV["SECRET_TOKEN"].present? || check_secret_token
-    ENV["SESSION_SECRET_KEY"].present? || check_session_secret_key
-  end
-
-  def secret_token
-    ENV["SECRET_TOKEN"] || File.read(secret_token_path)
-  end
-
-  def session_secret_key
-    ENV["SESSION_SECRET_KEY"] || File.read(session_secret_key_path)
-  end
-
-private
-
-  def secret_token_path
-    File.expand_path("~/.danbooru/secret_token")
-  end
-
-  def check_secret_token
-    unless File.exists?(secret_token_path)
-      raise "You must create a file in #{secret_token_path} containing a secret key. It should be a string of at least 32 random characters."
-    end
-
-    if File.stat(secret_token_path).world_readable? || File.stat(secret_token_path).world_writable?
-      raise "#{secret_token_path} must not be world readable or writable"
-    end
-  end
-
-  def session_secret_key_path
-    File.expand_path("~/.danbooru/session_secret_key")
-  end
-
-  def check_session_secret_key
-    unless File.exists?(session_secret_key_path)
-      raise "You must create a file in #{session_secret_key_path} containing a secret key. It should be a string of at least 32 random characters."
-    end
-
-    if File.stat(session_secret_key_path).world_readable? || File.stat(session_secret_key_path).world_writable?
-      raise "#{session_secret_key_path} must not be world readable or writable"
-    end
-  end
-end