[manojlds]

> if Rails.env.development? or Rails.env.test?

I hate code like this that is explicitly aware of the environment. The code says what it will do in an environment, rather than the environment saying what the code should do in it.

[ryannielson]

Something more like the following is probably a better solution:

if ENV['SECRET_TOKEN'].blank? raise 'SECRET_TOKEN environment variable is not set!' end

App::Application.config.secret_token = ENV['SECRET_TOKEN']

[johnvschmitt]

ryannielson's solution is the best IMO, as it requires the environment variable to be set, & most importantly, shows a nice error to the developer should they miss it.

Even better, raise 'SECRET_TOKEN not set! Please refer to the doc in xyz'

So, the specific method for setting is in an "xyz" doc that your team keeps in a SEPARATE location from the code repo.

And, we really need a standard way to do this, or Github pulls / forks will have more friction or bad security when setting up forks.

Also, I really would rather put it in a file, not system env, as the env might be setup different on different systems, & you'd hate to have that env potentially shared in multi-user systems. Files are more reliably locked down.

[wolframarnold]

Rails already raises an exception for you if the secret is blank.

In: `actionpack-3.2.13/lib/action_controller/metal/http_authentication.rb`:

    raise "You must set config.secret_token in your app's config" if secret.blank?

[michaelrkn]

I had the same feeling. Inspired by this post, I just moved my secret token config into production.rb, test.rb, and development.rb, and deleted secret_token.rb.