fixed an unsafe access to 2FA keys on the user model again, all for github

author Aidan Cornelius-Bell <aidan@cornelius-bell.com>

Tue, 31 Dec 2024 21:21:12 +0000 (07:51 +1030)

committer Aidan Cornelius-Bell <aidan@cornelius-bell.com>

Tue, 31 Dec 2024 21:21:12 +0000 (07:51 +1030)
author Aidan Cornelius-Bell <aidan@cornelius-bell.com>
Tue, 31 Dec 2024 21:21:12 +0000 (07:51 +1030)
committer Aidan Cornelius-Bell <aidan@cornelius-bell.com>
Tue, 31 Dec 2024 21:21:12 +0000 (07:51 +1030)
diff --git a/app/models/user.rb b/app/models/user.rb

index d1ac8e006fed739269cf5969f13c742c668aaec1..234479d08bbdbb972a552f8033863c48b192a081 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -4,7 +4,9 @@ class User < ApplicationRecord
    devise :database_authenticatable, :registerable,
           :recoverable, :rememberable, :validatable,
           :confirmable, :lockable, :two_factor_authenticatable, :two_factor_backupable,
-         otp_secret_encryption_key: Rails.application.credentials.active_record_encryption[:primary_key]
+         otp_secret_encryption_key: ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') do
+            Rails.application.credentials.dig(:active_record_encryption, :primary_key) || 'test_key_1_'*4
+         end
  
    encrypts :otp_secret
    attr_accessor :otp_plain_secret
author	Aidan Cornelius-Bell <aidan@cornelius-bell.com>
	Tue, 31 Dec 2024 21:21:12 +0000 (07:51 +1030)
committer	Aidan Cornelius-Bell <aidan@cornelius-bell.com>
	Tue, 31 Dec 2024 21:21:12 +0000 (07:51 +1030)