Charlton's Blog

Sssecrets: Now for Devise

Generate secrets that are easy to detect when leaked

Published: Jul 25, 2023
Category: Programming, Projects, Security
Tags: , ,

I recently published a new gem (GitHub) that provides a drop-in replacement for the Devise framework’s built-in friendly token generator. If you’re using Devise in your Rails application, this makes simple to bring all the benefits of Sssecrets (a simple, secure, and easy-to-use method for generating secrets that are easy to detect when leaked) to your application in a snap.

Check out this demo Rails app to see how easy it is to use the devise-sssecrets gem in your own Rails application.

Using Devise-Sssecrets

Before you begin, add devise-sssecrets to your gemfile.

bundle add devise-sssecrets
  1. Open your Devise initializer file at config/initializers/devise.rb.

  2. Use the Devise.setup block to configure your token organization and types.

Devise.setup do |config|
  config.friendly_token_org = 'dv' # Set your sssecret token organization. Defaults to "dv".
  config.friendly_token_types[:default] = 'ft' # Add your sssecret token types like so. Default is "ft".
  config.friendly_token_types[:user] = 'usr'
  config.friendly_token_types[:admin] = 'adm'

  # Any other Devise configuration...
  1. Call Devise#friendly_token with your desired parameters to generate friendly tokens based on the configured sssecrets prefixes and organization.

That’s it!


# Generate a friendly token with the default org 'dv' and default type of 'ft'
token_with_default_prefix = Devise.friendly_token

# Generate a friendly token with the 'org' of 'test' and type of 'user'
token_with_user_prefix = Devise.friendly_token(org: "test", prefix_type: :user)

# Generate a friendly token with the default 'org' and type of 'admin'
token_with_admin_prefix = Devise.friendly_token(prefix_type: :admin)

Prefix Configuration

Token prefixes are a simple and effective method to make tokens identifiable. Slack, Stripe, GitHub, and others have adopted this approach to great effect.

Sssecrets allows you to provide two abbreviated strings, org and type, which together make up the token prefix. Generally, org would be used to specify an overarching identifier (like your company or app), while type is intended to identify the token type (i.e., OAuth tokens, refresh tokens, etc) in some way. To maintain a compact and consistent format for Sssecret tokens, org and type together should not exceed 10 characters in length.

The overridden Devise#friendly_token implementation has been extended to accept two optional parameters:

  • prefix_type: Specifies the type of the token prefix. If not provided, it defaults to :default.

  • org: Specifies the organization for the friendly token. If not provided, the default organization is used.

Note: the original implementation’s length parameter is now ignored.