diff --git a/.gitignore b/.gitignore index dc29e19..4386abf 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,6 @@ /public/packs /public/packs-test /node_modules + +# Ignore master key for decrypting credentials and more. +/config/master.key diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1ff0944..6166258 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -4,4 +4,18 @@ class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception + + before_action :check_unlocked, except: :unlock + + def unlock + cookies[:unlock] = { value: Rails.application.credentials.unlock_secret, expires: 5.years.from_now } + redirect_to :root + end + +private + + def check_unlocked + return unless ENV['UNLOCK_KEY'] && cookies[:unlock] != Rails.application.credentials.unlock_secret! + raise ActionController::RoutingError, 'Not Found' + end end diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc new file mode 100644 index 0000000..fcc3b64 --- /dev/null +++ b/config/credentials.yml.enc @@ -0,0 +1 @@ +9cW2qryP6xnL+H00ZBjLfyqbBqd/W9l2WQWRM+nR2lkcCqxTWOeSyhiXWM6hzIx7iZoSMmMNEchcG19ldvBjI3ZKzVL554WNbdGXEkaIaSWUNx0fKPG8hrrZGl/KiJSKzJxu++7qm3OmS4cQ/8gsUaJDefj4ZOsavbU8bbsaXr1g3VbqpUlDFNR82HgExhKXk+ya8lN3vwPGn2n/7PIYGZxcJAjk7J5fft8RfYiDM9KMm2eUwI1dgbmP/HYnmkd6yqVrqPejKWMAWYms/EqLt5SRzVUHbFjMErwfkoBO/+IqZTgLaYMz6YLNv+X84Aah8jE3ogQsGZIJBzQKNUD/HLmTcc1LNI3LgjoDaoAlcPp4DO+qgrl5k6Hm/tVjEmgDoruPbB3xekJpPX31vVfSgKK8F8azp4JRCaffJ/hGGm65X/UnESXAx7Ma2Dq1meQKx6TuJvv2ZZSdpKUP0t1AtgSWh1CE1656pCM7xJXKU1fM4LH3cvBxUDnNU65Zd9wJ83DBgk9AdMgYwQ8I--YOKzVH+s+Sjy8dKo--V96OsKdFZBokhA/qS0I7UQ== \ No newline at end of file diff --git a/config/environments/production.rb b/config/environments/production.rb index 4bb272e..258a41c 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -24,6 +24,10 @@ # config.assets.js_compressor = :uglifier # config.assets.css_compressor = :sass + # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"] + # or in config/master.key. This key is used to decrypt credentials (and other encrypted files). + config.require_master_key = true + # Do not fallback to assets pipeline if a precompiled asset is missed. config.assets.compile = false diff --git a/config/routes.rb b/config/routes.rb index 0da8935..cd5958d 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -5,6 +5,8 @@ get '/(*path)' => redirect { |_params, req| "https://#{ENV['DOMAIN']}#{req.fullpath}" } if ENV['HOST'].present? end + get "/#{ENV['UNLOCK_KEY']}", to: 'application#unlock' + get '/regions/:id', to: redirect('/california/%{id}') get '/:region_id/:subregion_id', to: 'subregions#show', as: 'subregion' get '/:region_id/:subregion_id/:spot_id', to: 'spots#show', as: 'spot' diff --git a/config/secrets.yml b/config/secrets.yml deleted file mode 100644 index 1a5b000..0000000 --- a/config/secrets.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Be sure to restart your server when you modify this file. - -# Your secret key is used for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! - -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. -# You can use `rake secret` to generate a secure secret key. - -# Make sure the secrets in this file are kept private -# if you're sharing your code publicly. - -common: &common - -development: - <<: *common - secret_key_base: 93372b62a443e822539aa82b658f9ff1f656a6b02ecd95cbf37ab0bf6e599e61f69288bc664ae908316e2ce2855b9376d953e89020ef4a7d5cf92c79fa394f83 - -test: - <<: *common - secret_key_base: 05b0069e2736bdb7210da0fe0c722adb01bf6cd9e3f52e836764413fa0f74bbdab29e098964ea9df6cee0c06777d04bb1e10b94b09771f7a1fad324550e01864 - -# Do not keep production secrets in the repository, -# instead read values from the environment. -production: - <<: *common - secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>