- 07 Mar, 2017 1 commit
-
-
Markus Koller authored
-
- 09 Jan, 2017 1 commit
-
-
Adam Niedzielski authored
-
- 03 Aug, 2016 3 commits
-
-
Sean McGivern authored
If an environment variable exists for secret_key_base, use that - always. But don't save it to secrets.yml. Also ensure that we never write to secrets.yml if there's a non-blank value there.
-
Sean McGivern authored
Move the last secret from .secret to config/secrets.yml, and delete .secret if it exists.
-
Sean McGivern authored
.secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't.
-