knock icon indicating copy to clipboard operation
knock copied to clipboard
Published 4 years ago verified publisher icon nsarno

Crash if token_secret_signature_key returns empty string

Open Kukunin opened this issue 5 years ago • 1 comments

The problem happened with a fork of knock which I was using for a long time: https://github.com/JonaMX/knock.

It worked well until I decided to upgrade to the newer fork of knock - this repository. I noticed that previous tokens stopped work and I started to dig.

It turned out, that in that fork, the author replaced to self.token_secret_signature_key = -> { Rails.application.credentials.read }, which returns an empty string "" for my Rails 5.2.

So I have been running the application for years with no secret signature key. Of course, it's my responsibility.

What I suggest is to add a check somewhere in the code so other potential users couldn't shoot in the foot again. Something like

raise "Knock secret signature key can't be empty" if Knock.token_secret_signature_key.call.blank?

Kukunin avatar Mar 17 '20 20:03 Kukunin

Similar to #212

There's an open PR that we started a discussion about it: #225

Feel free to contribute there, with suggestions or opening a new PR considering the points raised there...

Thanks!

andrerpbts avatar Mar 18 '20 13:03 andrerpbts