Add emphasis on ActiveRecord Encryption configuration values being secret (#30340)

2024-05-17 11:28:40 +02:00
parent a627219b25
commit 12472e7f40
3 changed files with 17 additions and 7 deletions
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -5,7 +5,7 @@
  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 ).each do |key|
-  ENV.fetch(key) do
+  value = ENV.fetch(key) do
    abort <<~MESSAGE

      Mastodon now requires that these variables are set:
@@ -14,9 +14,18 @@
        - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
        - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY

-      Run `bin/rails db:encryption:init` to generate values and then assign the environment variables.
+      Run `bin/rails db:encryption:init` to generate new secrets and then assign the environment variables.
    MESSAGE
  end
+
+  next unless Rails.env.production? && value.end_with?('DO_NOT_USE_IN_PRODUCTION')
+
+  abort <<~MESSAGE
+
+    It looks like you are trying to run Mastodon in production with a #{key} value from the test environment.
+
+    Please generate fresh secrets using `bin/rails db:encryption:init` and use them instead.
+  MESSAGE
 end

 Rails.application.configure do