Sssecrets: Now for Devise
Generate secrets that are easy to detect when leaked
I recently published a new gem (GitHub) that provides a drop-in replacement for the Devise framework’s built-in friendly token generator. If you’re using Devise in your Rails application, this makes simple to bring all the benefits of Sssecrets (a simple, secure, and easy-to-use method for generating secrets that are easy to detect when leaked) to your application in a snap.
Check out this demo Rails app to see how easy it is to use the devise-sssecrets gem in your own Rails application.
Using Devise-Sssecrets
Before you begin, add devise-sssecrets
to your gemfile.
bundle add devise-sssecrets
Open your Devise initializer file at
config/initializers/devise.rb
.Use the
Devise.setup
block to configure your token organization and types.
Devise.setup do |config|
config.friendly_token_org = 'dv' # Set your sssecret token organization. Defaults to "dv".
config.friendly_token_types[:default] = 'ft' # Add your sssecret token types like so. Default is "ft".
config.friendly_token_types[:user] = 'usr'
config.friendly_token_types[:admin] = 'adm'
# Any other Devise configuration...
end
- Call
Devise#friendly_token
with your desired parameters to generate friendly tokens based on the configured sssecrets prefixes and organization.
That’s it!
Example
# Generate a friendly token with the default org 'dv' and default type of 'ft'
token_with_default_prefix = Devise.friendly_token
"dvft_3MU5bK5MChmzOmxCsQIhb7CEXgdcPj3tNmF9"
# Generate a friendly token with the 'org' of 'test' and type of 'user'
token_with_user_prefix = Devise.friendly_token(org: "test", prefix_type: :user)
"testusr_cFl9hMJTxPRxpnHBmiUNgKizhilscT4RfLk2"
# Generate a friendly token with the default 'org' and type of 'admin'
token_with_admin_prefix = Devise.friendly_token(prefix_type: :admin)
"dvadm_2Srrwf5IWVubTHmqBTVmvAraHgeCYO11ezUh"
Prefix Configuration
Token prefixes are a simple and effective method to make tokens identifiable. Slack, Stripe, GitHub, and others have adopted this approach to great effect.
Sssecrets allows you to provide two abbreviated strings, org
and type
, which together make up the token prefix. Generally, org
would be used to specify an overarching identifier (like your company or app), while type
is intended to identify the token type (i.e., OAuth tokens, refresh tokens, etc) in some way. To maintain a compact and consistent format for Sssecret tokens, org
and type
together should not exceed 10 characters in length.
The overridden Devise#friendly_token
implementation has been extended to accept two optional parameters:
prefix_type
: Specifies the type of the token prefix. If not provided, it defaults to:default
.org
: Specifies the organization for the friendly token. If not provided, the default organization is used.
Note: the original implementation’s length
parameter is now ignored.