Loading ActionText::Attachable from identical SGID no longer works after restoring database

Question

I'm using ActionText and embedding IFRAME for things like YouTube and Spotify embeds. It's working great! Here's what it looks like when I render the HTML (this is for a Spotify embed as you can see):

<action-text-attachment sgid="BAh7CEkiCGdpZAY6BkVUSSIoZ2lkOi8vYmxvZ2xpbmUvU3BvdGlmeS8xP2V4cGlyZXNfaW4GOwBUSSIMcHVycG9zZQY7AFRJIg9hdHRhY2hhYmxlBjsAVEkiD2V4cGlyZXNfYXQGOwBUMA==--fcc8035346e616846f2068f52f685d2feb3b30e2" content-type="application/octet-stream"><div class="embed-responsive embed-responsive-16by9">
  <iframe width="300" height="380" title="Spotify Embed: American Head" src="https://open.spotify.com/embed/album/4H8NX3ovAZdY2iJmwSNqlw?si=cf4XXoavSAynCBOvqltSHw"></iframe>
</div>
</action-text-attachment>

I have recently exported the database (from Heroku) and restored it to another VPS provider. That worked fine for my ActiveStorage blobs (images etc) but the embeds are no longer working. The above example, despite having the same SGID now looks like this:

<action-text-attachment sgid="BAh7CEkiCGdpZAY6BkVUSSIoZ2lkOi8vYmxvZ2xpbmUvU3BvdGlmeS8xP2V4cGlyZXNfaW4GOwBUSSIMcHVycG9zZQY7AFRJIg9hdHRhY2hhYmxlBjsAVEkiD2V4cGlyZXNfYXQGOwBUMA==--fcc8035346e616846f2068f52f685d2feb3b30e2" content-type="application/octet-stream">☒</action-text-attachment>

On my Heroku console I can load the model using:

SignedGlobalID.find("BAh7CEkiCGdpZAY6BkVUSSIoZ2lkOi8vYmxvZ2xpbmUvU3BvdGlmeS8xP2V4cGlyZXNfaW4GOwBUSSIMcHVycG9zZQY7AFRJIg9hdHRhY2hhYmxlBjsAVEkiD2V4cGl
yZXNfYXQGOwBUMA==--fcc8035346e616846f2068f52f685d2feb3b30e2", for: "attachable")

This works and returns the associated ActiveRecord model. However, running the same command when connected to my restored database results in nil

I wondered if anyone was able to shed any light on this?

I have narrowed the issue down to an InvalidSignature message. For example, on Heroku I see this:

SignedGlobalID.send(:pick_verifier, for: "attachable").verify(node["sgid"])
=> {"gid"=>"gid://myapp/Spotify/1?expires_in", "purpose"=>"attachable", "expires_at"=>nil}

Where's locally, if I run it:

ActiveSupport::MessageVerifier::InvalidSignature (ActiveSupport::MessageVerifier::InvalidSignature)

Could it be because the secret on one server is different from the other? If so, what is the correct way to go about doing this so that the SGIDs are 'portable' across servers?

I'm running Rails 6.1 alpha.

Answer 1

Ok, apologies but it turns out that despite Rails.application.credentials.secret_key_base being defined the same on both servers, one of them (Heroku) had also defined a different SECRET_KEY_BASE environment variable which seems to take precedence. Once I define this on the new sever, the SGID works fine.