From ddb0e4d3ce8bb924b2a1230f7c6002a7020d3c2a Mon Sep 17 00:00:00 2001 From: evazion Date: Fri, 13 Dec 2019 04:20:06 -0600 Subject: [PATCH] config: refactor secret_key_base initialization. --- config/application.rb | 3 ++ config/danbooru_default_config.rb | 10 +++++++ config/initializers/secret_token.rb | 9 ------ config/state_checker.rb | 46 ----------------------------- 4 files changed, 13 insertions(+), 55 deletions(-) delete mode 100644 config/initializers/secret_token.rb delete mode 100644 config/state_checker.rb diff --git a/config/application.rb b/config/application.rb index d6f13874c..9c38eee8f 100644 --- a/config/application.rb +++ b/config/application.rb @@ -33,6 +33,9 @@ module Danbooru config.plugins = [:all] config.time_zone = 'Eastern Time (US & Canada)' + raise "Danbooru.config.secret_key_base not configured" if Danbooru.config.secret_key_base.blank? + config.secret_key_base = Danbooru.config.secret_key_base + if Danbooru.config.mail_delivery_method.to_sym == :smtp config.action_mailer.delivery_method = :smtp config.action_mailer.smtp_settings = Danbooru.config.mail_settings diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb index 089a3e5a2..a22c166d3 100644 --- a/config/danbooru_default_config.rb +++ b/config/danbooru_default_config.rb @@ -1,5 +1,15 @@ module Danbooru class Configuration + # A secret key used to encrypt session cookies, among other things. If this + # token is changed, existing login sessions will become invalid. If this + # token is stolen, attackers will be able to forge session cookies and + # login as any user. + # + # Must be specified. Use `rake secret` to generate a random secret token. + def secret_key_base + ENV["SECRET_TOKEN"].presence || File.read(File.expand_path("~/.danbooru/secret_token")) + end + # The name of this Danbooru. def app_name if CurrentUser.safe_mode? diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb deleted file mode 100644 index 4074a67bb..000000000 --- a/config/initializers/secret_token.rb +++ /dev/null @@ -1,9 +0,0 @@ -require File.expand_path('../../state_checker', __FILE__) - -StateChecker.instance.check! - -Rails.application.config.action_dispatch.session = { - :key => '_danbooru2_session', - :secret => StateChecker.instance.session_secret_key -} -Rails.application.config.secret_key_base = StateChecker.instance.secret_token diff --git a/config/state_checker.rb b/config/state_checker.rb deleted file mode 100644 index 27f49912e..000000000 --- a/config/state_checker.rb +++ /dev/null @@ -1,46 +0,0 @@ -class StateChecker - include Singleton - - def check! - ENV["SECRET_TOKEN"].present? || check_secret_token - ENV["SESSION_SECRET_KEY"].present? || check_session_secret_key - end - - def secret_token - ENV["SECRET_TOKEN"] || File.read(secret_token_path) - end - - def session_secret_key - ENV["SESSION_SECRET_KEY"] || File.read(session_secret_key_path) - end - -private - - def secret_token_path - File.expand_path("~/.danbooru/secret_token") - end - - def check_secret_token - unless File.exists?(secret_token_path) - raise "You must create a file in #{secret_token_path} containing a secret key. It should be a string of at least 32 random characters." - end - - if File.stat(secret_token_path).world_readable? || File.stat(secret_token_path).world_writable? - raise "#{secret_token_path} must not be world readable or writable" - end - end - - def session_secret_key_path - File.expand_path("~/.danbooru/session_secret_key") - end - - def check_session_secret_key - unless File.exists?(session_secret_key_path) - raise "You must create a file in #{session_secret_key_path} containing a secret key. It should be a string of at least 32 random characters." - end - - if File.stat(session_secret_key_path).world_readable? || File.stat(session_secret_key_path).world_writable? - raise "#{session_secret_key_path} must not be world readable or writable" - end - end -end