path: root/config/initializers/secret_token.rb

# Be sure to restart your server when you modify this file.

require 'securerandom'

def generate_new_secure_token
  SecureRandom.hex(64)
end

def warn_missing_secret(secret)
  warn "Missing Rails.application.secrets.#{secret} for #{Rails.env} environment. The secret will be generated and stored in config/secrets.yml."
end

def create_tokens
  secret_file = Rails.root.join('.secret')
  file_key = File.read(secret_file).chomp if File.exist?(secret_file)
  env_key = ENV['SECRET_KEY_BASE']
  yaml_additions = {}

  # Ensure environment variable always overrides secrets.yml.
  Rails.application.secrets.secret_key_base = env_key if env_key.present?

  defaults = {
    secret_key_base: file_key || generate_new_secure_token,
    otp_key_base: env_key || file_key || generate_new_secure_token,
    db_key_base: generate_new_secure_token
  }

  defaults.stringify_keys.each do |key, default|
    if Rails.application.secrets[key].blank?
      warn_missing_secret(key)

      yaml_additions[key] = Rails.application.secrets[key] = default
    end
  end

  unless yaml_additions.empty?
    secrets_yml = Rails.root.join('config/secrets.yml')
    all_secrets = YAML.load_file(secrets_yml) if File.exist?(secrets_yml)
    all_secrets ||= {}
    env_secrets = all_secrets[Rails.env.to_s] || {}

    all_secrets[Rails.env.to_s] = env_secrets.merge(yaml_additions) do |key, old, new|
      if old.present?
        warn <<EOM
Rails.application.secrets.#{key} was blank, but the literal value in config/secrets.yml was:
  #{old}

This probably isn't the expected value for this secret. To keep using a literal Erb string in config/secrets.yml, replace `<%` with `<%%`.
EOM

        exit 1
      end

      new
    end

    File.write(secrets_yml, YAML.dump(all_secrets), mode: 'w', perm: 0600)
  end

  begin
    File.delete(secret_file) if file_key
  rescue => e
    warn "Error deleting useless .secret file: #{e}"
  end
end

create_tokens