

The Marriage of Figaro… and Rails 4.1 👰 - laserlemon
http://collectiveidea.com/blog/archives/2013/12/18/the-marriage-of-figaro-and-rails/

======
alinajaf
> Because knowledge of the secret_key_base allows an attacker to read and
> manipulate an application’s cookies, checking the value in was never a good
> idea.

So FYI, "read and manipulate an applications cookies" is strictly the same as
"run arbitrary ruby code in your Rails application process". I would upgrade
"never a good idea" to "completely and catastrophically exposes your
application to remote code execution" in this paragraph.

~~~
laserlemon
Thanks! Updated.

------
JangoSteve
Figaro was pretty cool last I checked. Though we've been using foreman [1] for
setting the env variables in the .env file, since foreman also helps manage
additional processes in development like mailcatcher, mongo, redis,
elasticsearch, and any other dependent processes that your don't leave running
all the time in your machine. And it has a command to export your env to
Heroku or upstart. I don't remember how much of this Figaro does, just thought
I'd throw foreman out there as another solution to keep in mind.

[1] [https://github.com/ddollar/foreman](https://github.com/ddollar/foreman)

------
dylandrop
Is Figaro even usable without Heroku? From what I understand the commands it
offers are tailor-made for Heroku, and the main problem mentioned (secrets.yml
not being Heroku-friendly) seems like specifically a Heroku problem. IMO I'd
use Figaro for Heroku, and YML files for a VPS.

~~~
laserlemon
Figaro is certainly usable without Heroku. It added some Heroku conveniences
later in life, but is built to simply populate ENV while keeping source
control clean.

~~~
dylandrop
Good to know. I suppose for all cases where I'm deploying to non-Heroku
servers I'd probably still use secrets.yml just because it's built into 4.1.

~~~
laserlemon
Makes sense, now that it's the new convention. Thanks for the comment!

------
aerlinger
I've used Figaro for a few projects and I've found myself very happy with it.
It does one thing well without adding unnecessary complexity or overhead to my
app. I feel that figaro-like capability in Rails is a win for the community
and for figaro/laserlemon as well.

~~~
laserlemon
Thank you! And I completely agree that secrets.yml is a win.

------
dannowatts
haven't read the link yet, but i love that a wedding emoji was used in the
title!

~~~
laserlemon
I'm really surprised I don't see more Emoji in HN post titles!

------
angryasian
is the secrets.yml file not checked in to source control ?

~~~
laserlemon
No, it's not. The idea is that your should be able to (hypothetically) open
source your app at any time without compromising any sensitive information.

