ActionMailer password security

不问归期 提交于 2019-12-21 03:59:17

问题


Am I crazy, or is it a bad idea to keep my SMTP username and password for ActionMailer in the actual (development/production) config file? It seems like I should store it an encrypted place, or at the very minimum, exclude it from my Mercurial pushes.

Right now, I'm just removing the password from my source file before performing a push, but there's got to be a smarter way than the one I'm using. :)

Perhaps I should store it in my database as another user (which is already stored with encrypted passwords) and fetch it programatically?


回答1:


Use an application configuration file that is not stored in your repository for storing sensitive information. Here is how I've done it:

  1. Add an app_config.yml in your config directory. Its contents would look like this:

    smtp_password: kl240jvfslkr32rKgjlk
    some_other_password: 34hg9r0j0g402jg
    and_so_on: lkn$@gJkjgsFLK4gaj
    
  2. Add a preinitializer.rb in your config directory with the following contents:

    require 'yaml'
    APP_CONFIG = YAML.load(File.read(RAILS_ROOT + "/config/app_config.yml"))
    
  3. Substitute your passwords for values in the APP_CONFIG variable, like so:

    smtp_password = kl240jvfslkr32rKgjlk # old version
    smtp_password = APP_CONFIG['smtp_password'] # new version
    

Make sure you don't include app_config.yml in your repository, though you may want to create an example file that is checked in, just to show a sample of what should be in it. When you deploy your application, make sure that app_config.yml is stored on the server. If you're using a standard Capistrano deployment, put the file in the shared folder and update your deployment task to create a symlink to it in the current release's directory.




回答2:


Jimmy's answer is perfect (+1), I would also note that Github has recommended .gitignore files for every language and the Rails one is here Note that it includes config/*.yml so that no config/yml file is in the respository to begin with. Probably a good move.

Use Capistrano to ask for these things upon deploy:setup the same way you should be doing for your database stuff:

task :my_silly_task do 
    sendgrid_password = Capistrano::CLI.password_prompt("Sendgrid password: ")
    require 'yaml'
    spec =  {... whatever yaml you need -- probably what Jimmy said...}
    run "mkdir -p #{shared_path}/config" 
    put(spec.to_yaml, "#{shared_path}/config/mailer_config.yml") 
end


来源:https://stackoverflow.com/questions/2368139/actionmailer-password-security

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!