0

I have written the following in my controller:

http_basic_authenticate_with name: "foo", password: "bar", except: [:new, :show, :edit, :create]

but when I push it to my repo, the password is there for everyone to see. Is there any way to encrypt the password?

user2026178
  • 308
  • 2
  • 4
  • 21

1 Answers1

1

You probably want to use environment-variables for this :) There's a gem (Like for everything basically): https://github.com/bkeepers/dotenv

In your .env file you'd have the following:

AUTHENTICATION_USERNAME="foo"
AUTHENTICATION_PASSWORD="bar"

Where as in your controller you write it like so:

http_basic_authenticate_with name: ENV['AUTHENTICATION_USERNAME'], password: ENV['AUTHENTICATION_PASSWORD'], except: [:new, :show, :edit, :create]

This way your code is completely separated from the actual information. Make sure to not add the .env-file to your git-repository by adding this to your gitignore:

.env

So what this does is it'll load these variables you set up in .env into your existing environment variables. This way somebody needs to actually log into your server and get access to that particular file in order to get the username/password. And this should be more secure than having the username/password in plain text inside your controller ;)

Philipp Meissner
  • 5,273
  • 5
  • 34
  • 59
  • Thanks for the very comprehensive answer. Excuse my ignorance, but what is a .env file and how do I get it/ifnd it? I have installed the gem but can not locate that file anywhere – user2026178 May 10 '16 at 13:47
  • 1
    Hi. You will have to create this file in your home directory. `touch ~/.env` does the job. The .env file will eventually get added to your other environment variables your system already has. This way the application can use them. – Philipp Meissner May 12 '16 at 06:34