Move ensure_secret_secure to DummyKeyGenerator

1 files changed, 24 insertions, 0 deletions

diff --git a/activesupport/lib/active_support/key_generator.rb b/activesupport/lib/active_support/key_generator.rb
index a8a4c17fd6..2b5a6fa0ba 100644
--- a/activesupport/lib/active_support/key_generator.rb
+++ b/activesupport/lib/active_support/key_generator.rb
@@ -36,12 +36,36 @@ module ActiveSupport
   end
 
   class DummyKeyGenerator
+    SECRET_MIN_LENGTH = 30 # Characters
+
     def initialize(secret)
+      ensure_secret_secure(secret)
       @secret = secret
     end
 
     def generate_key(salt)
       @secret
     end
+
+    private
+
+    # To prevent users from using something insecure like "Password" we make sure that the
+    # secret they've provided is at least 30 characters in length.
+    def ensure_secret_secure(secret)
+      if secret.blank?
+        raise ArgumentError, "A secret is required to generate an " +
+          "integrity hash for cookie session data. Use " +
+          "config.secret_token_key = \"some secret phrase of at " +
+          "least #{SECRET_MIN_LENGTH} characters\"" +
+          "in config/initializers/secret_token.rb"
+      end
+
+      if secret.length < SECRET_MIN_LENGTH
+        raise ArgumentError, "Secret should be something secure, " +
+          "like \"#{SecureRandom.hex(16)}\". The value you " +
+          "provided, \"#{secret}\", is shorter than the minimum length " +
+          "of #{SECRET_MIN_LENGTH} characters"
+      end
+    end
   end
 end