The devise authentication plug for rails has been a standard piece of instructure for me for years. One of those things you should not roll on your own. https://github.com/plataformatec/devise
In setting up the staging system for the IP4B SG2 system, I wanted to be able to copy bits of the production database to the staging system so that we can see real data. Logins were not working, and I was mystified until I realized that the pepper values in the config/initializers/devise.rb were different as I upgraded the devise, and started with a new file. I had set a longer pepper in the new revision, probably too long actually as it might prevent the per-user salt from having any effect.
I then realized that I don’t want this pepper value into the git tree it all, it should be set by the production.rb, or better the secrets.yml. I didn’t find a clear way to do this, so I had to [[../../../../../catb.org/jargon/html/U/UTSL.html][Use The Source, Luke]] (curiously, in the Percy Jackson novels, Luke is a bad guy)
I used bundle show devise to tell me where devise was installed, and then I went into that directory with Emacs, and used grep -R for “pepper”. I was also looking for where the Device.setup routine is and how it sets up the config. A clue was in test/models_test.rb, where I found:
Hmm, what is the Configurable thing? Naw, it’s in test/test_models.rb, so it’s just for the test cases. The real meat is in lib/devise. I leant from test_models.rb that I can specify the pepper: in the devise model, so if I have to I can put it together in my app.
I decided to grep for secrets:
Which is nice, as it points to the secret_key_base, which I knew I had to initialize, but that is used for the cookies. I don’t need to synchronize the cookies between staging and production. I was hoping to put the pepper into the secrets.yml.
Looking at this, it seems that I ought to be able to add pepper to this, so I tried:
I monkey patched this into my user.rb file, before I create the User. (I could fork and make a pull request on this, but I’ll do that after I’m sure this is the right way) I wondered what app was, I suspect it comes from the ::Rails::Engine.
I stuffed my secrets.yml on my desktop with:
and invoked rails console. Good news it didn’t blow up yet! I dumped the pepper:
Well, that’s not the pepper I set. I went and I removed it from config/initializers/devise.rb, and restarted rails console.
Okay, so there is a change… but it didn’t load my monkey patch yet. Maybe if I make it load that code:
nope. So let’s see if my idea was even sound. I stuffed the initializer code into the lib/devise/rails.rb in my local gem repo, and low and behold, it ran:
Conclusion: I monkey patched too late. I put the same code at the top of config/initializers/devise.rb. Too late. How about at the end of config/application.rb? Yes. that worked.
I’m not too thrilled by this, I think it ought to go elsewhere, but one step forward at a time.