From da81b878cf802eb2e99efc692c6ae74d77a9362a Mon Sep 17 00:00:00 2001 From: Aidan Cornelius-Bell Date: Wed, 1 Jan 2025 07:51:12 +1030 Subject: [PATCH] fixed an unsafe access to 2FA keys on the user model again, all for github --- app/models/user.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index d1ac8e0..234479d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -4,7 +4,9 @@ class User < ApplicationRecord devise :database_authenticatable, :registerable, :recoverable, :rememberable, :validatable, :confirmable, :lockable, :two_factor_authenticatable, :two_factor_backupable, - otp_secret_encryption_key: Rails.application.credentials.active_record_encryption[:primary_key] + otp_secret_encryption_key: ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') do + Rails.application.credentials.dig(:active_record_encryption, :primary_key) || 'test_key_1_'*4 + end encrypts :otp_secret attr_accessor :otp_plain_secret -- 2.39.5