From da81b878cf802eb2e99efc692c6ae74d77a9362a Mon Sep 17 00:00:00 2001
From: Aidan Cornelius-Bell <aidan@cornelius-bell.com>
Date: Wed, 1 Jan 2025 07:51:12 +1030
Subject: [PATCH] fixed an unsafe access to 2FA keys on the user model again,
 all for github

---
 app/models/user.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index d1ac8e0..234479d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -4,7 +4,9 @@ class User < ApplicationRecord
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :validatable,
          :confirmable, :lockable, :two_factor_authenticatable, :two_factor_backupable,
-         otp_secret_encryption_key: Rails.application.credentials.active_record_encryption[:primary_key]
+         otp_secret_encryption_key: ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') do
+            Rails.application.credentials.dig(:active_record_encryption, :primary_key) || 'test_key_1_'*4
+         end
 
   encrypts :otp_secret
   attr_accessor :otp_plain_secret
-- 
2.39.5