How to prevent password from displaying in ruby template file

0
votes

I am pulling down some html via a login. Is there anyway to have my password not typed out in plain text in the code? Is there some obfuscation technique I could use?

Ideally I would like a file that contains my password that is separate from the source code that I would like to share. Something that loads the password kept in \docs\mypass.txt would work great. I could then modify this to do a simple unscramble of my real password so I could keep a scrambled version in mypass.txt

There has to be some easy way to do a find and replace on <<mysecretepassword>> and source it from a text file.

<% register.ZServLogin.grabItems("ClimbElCap", "<<mysecretpassword>>").each do |item| %>
2
ruby-on-railsrubyembedded-ruby
Presumably, you can use ruby in a ruby template file. With ruby you can read files (File.read("filename.txt")), read the environment (ENV["MY_ENV_VARIABLE"]) and do all other kinds of magic. - PSkocik
Thanks PSkocik this is the answer I choose. The others are too complicated for the project's current scope. - SwimBikeRun

2 Answers

2
votes

In my opinion, not to be taken heavily, you should never store your password as plain text in any file. And while you can obfuscate your password, where there is a lock there is always a key and keys can be duplicated. What I am trying to say is passwords can be unscrambled. Instead, try storing your password as a hash! I would use the module ruby provides called Digest however ruby does have some built in hash methods. ( But I will let you explore that area )

Example time! Lets assume that you want the user to provide a password and you want to store that password in a text file for later. You also want to be able to verify whether or not the password a user enters is correct. Lets begin:

#first you need to require the module
require 'digest'

#then you need to get the password from the user 
input = gets.chomp

#now the magic begins, using the digest module we are going to turn the password into a has
password = Digest::SHA1.hexdigest(input)

#and you can store it where ever and how ever you would like. ( If you are worried about corrupting your file you may want to look into PStore. A great class for persistence ) 
write = File.open("password.txt",'w') do |file|
  file.write(password)
end

#Lets say the program ends there but now we want to have the user login
puts "Login!"
print "Username: "
user = gets.chomp
print "Password: "
pass = gets.chomp

#Now in order for him to login we need to compare his password with the one stored in the file
read = File.read("password.txt")

pass = Digest::SHA1.hexdigest(pass)

puts pass == read ? "Passwords match : "Please try again"

Obviously there is a lot that needs to be done for this to work in your case. But I am just trying to give you options that you may or may not want to consider. Thanks and

Happy Coding!

1
votes

I think this is a perfect example in which you want to use the config/secrets.yml that was introduced in Rails 4.1 (See: http://edgeguides.rubyonrails.org/4_1_release_notes.html#config-secrets-yml). Or a similar gem like Figaro (see: https://github.com/laserlemon/figaro).

In a nutshell: Add your secret keys into config/secrets.yml:

development:
  foo_api_key: 'a-dummy-development-key'
production:
  foo_api_key: 'super-secret-production-key'

You should not add this file to your version controll system, unless you load the production keys from your ENV like this:

production:
  foo_api_key: <%= ENV['super-secret-production-key'] %>

In your code you can use that keys like this:

...grabItems("ClimbElCap", Rails.application.secrets.foo_api_key)