Not so much as a question: secret token

[frank0051]

So, I'm pretty new to Ruby on Rails and I've been attempting to get a demo of this up and running on Engine Yard. I forked the project, connected to it, have the app and DB instance running, but the deploy of HEAD keeps failing. The log says:

rake aborted!
SECRET_TOKEN environment variable must be set!

In various spots. So:

1. what's the deal with this SECRET_TOKEN
2. Any ideas what to do in Engine Yard? I tried to SSH in after following their instructions, but it gives me an error saying no address associated with name.

Appreciate any thoughts as to how to get this up and running so I can play around with it.

[tomwolfe]

I'm not sure about Engine Yard, but I was having trouble with pushing to heroku and found a solution: errbit/errbit#381

[sapid]

Secret tokens are used by many web frameworks (including RoR, to my knowledge) for signing cookies (HMAC, I think) to prevent users from tampering with the data in them.

Without looking in to it directly (I'm not familiar with Engine Yard either), I think you should be able to solve your problem by running rake secret. Alternatively, you may also be able to solve it by putting something random in config/initializers/secret_token.rb (such as with #{ActiveSupport::SecureRandom.hex(64)}) so the file should look something like
Yourapp::Application.config.secret_token = '921b00fcfabe0368d70627020f3b4c969cfd9bdc2474f4040c1ae976f687014694beb5d36dfc0c41bac8ebde96a14fceaee228d6e34d8183c5d7cc99d310d4f9'

If setting $SECRET_TOKEN in your environment is an option, that should work, too.

Secret Tokens can't be included in the repository because then they aren't secret anymore; unfortunately, this is one of those things that you have to perform at install time instead.

[monfresh]

@frank0051 Whenever you have sensitive information in your app, such as API keys, passwords, or secret tokens, it's recommended to store them in an environment variable. So, instead of having the actual secret token in the source code, you would replace it with ENV['SECRET_TOKEN'], as is done in this file: https://github.com/codeforamerica/opencounter/blob/master/config/initializers/secret_token.rb

For your app to know what the value of the environment variable is, you have to set it in your working environment. When you're using the app on your local machine, the easiest way to set environment variables is to use the figaro gem. It creates a local application.yml file for you where you can set all your env variables, and it automatically adds it to the .gitignore file so that it never gets committed to a public repository like GitHub. Alternatively, you can set environment variables from the command line from your app's directory by running this command:

export NAME_OF_ENV_VAR=value_of_env_var

For example, to set an env var for the secret token, generate a new random one:

rake secret

Then set it:

export SECRET_TOKEN=your_secret_token

where your_secret_token is the actual long string of characters that you got after running rake secret.

To check the value of the SECRET_TOKEN environment variable (only when you set it from the command line):

echo $SECRET_TOKEN

Before deploying an app to a hosting service like Heroku or Engine Yard, you have to set the environment variable on the production server first. On Heroku, you do it like this from the command line:

heroku config:set SECRET_TOKEN=your_secret_token

I'm not familiar with Engine Yard, so I don't know the exact command, but I'm sure there's a similar command you can run. Just search for "how to set an environment variable on Engine Yard" or something like that.

I hope this helps.