Rails 6: Beware the master.key

Checking encrypted credentials into git using Rails 6 feels weird but is pretty great.

What isn’t great is getting this error when deploying to Heroku:

ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage

After running EDITOR=vim bundle exec rails credentials:edit Rails will create a master.key file which works fine, but expects all your environments to be in a single credentials file and creates a master.key to decrypt the file.

Subsequently running EDITOR=vim bundle exec rails credentials:edit --environment staging appears to not use the master key and instead autocreates a ./config/credentials/staging.key.

In Heroku, the RAILS_MASTER_KEY environment variable needs to be set to the value of staging.key, not master.key, otherwise the MessageEncryptor error is thrown. This wasn’t clear to me from various tutorials and StackOverflow posts.

Git: fix secondary ssh key unable to access repo (MFA code problem)

The Problem

For some reason after enabling MFA on my secondary (work) GitHub account, I occasionally get a “broken” SSH key loaded into ssh-agent, possibly after entering an incorrect MFA code during my .bashrc login process in terminal.

When attempting to interact with a git repo using the secondary SSH key, access is denied.

The error from git is factual but not helpful:

> git pull
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The Fix

A reliable solution is to clear out all SSH keys from ssh-agent and re-add:

> ssh-add -D
> ssh-add -K ~/.ssh/customkeyname-id_rsa

Eventually I’ll troubleshoot the underlying issue but for now this fix is good enough.

adding a blocklist break-glass header for Rack::Attack

When blocklisting broad IP ranges using the Rails Rack::Attack gem, it can be valuable to have a break-glass HTTP header so that legitimate users in a blocked range can still access the webapp.

The Rack::Attack docs provide most of the information on how to do this, however the syntax in the current example does not match the format of a header injected into the browser using an extension such as SimpleModifyHeaders.

As it turns out, any such headers are uppercased and prefixed with HTTP_. So if in your browser extension you set your header as SuperSecretKey, Rack::Attack would pass it through as HTTP_SUPERSECRETKEY.

The below code snippet illustrates, and also dumps out all headers to the console as a comma delimited list.

class Rack::Attack

  p "~~~~~~~~ RAAAACK ATTAAAAAAAACK ~~~~~~~~"

  # whitelist by HTTP header
  Rack::Attack.safelist("mark any authenticated user as safe") do |request|

    p "~~ HEADER CHECK ~~"

    p request.env.sort.compact.reject(&:empty?).join(',')

    puts request.env.key?("HTTP_SUPERSECRETKEY")
    puts request.env["HTTP_SUPERSECRETKEY"]
    request.env["HTTP_SUPERSECRETKEY"] == "Hunter2"


Rails: fix Bundler 2 lockfile error

The fix

gem update --system # update Rubygems
gem install bundler # update bundler
bundler update --bundler # update Gemfile.lock in your project

The error message

>bundle exec guard
14:41:40 - INFO - Guard::RSpec is running
14:41:40 - INFO - Guard is now watching at '/Users/user/project'
14:41:52 - INFO - Running: spec/spec.rb
You must use Bundler 2 or greater with this lockfile.
14:41:52 - ERROR - Failed: "bundle exec bin/rspec -f progress -r /Users/user/project/vendor/bundle/ruby/2.6.0/gems/guard-rspec-4.7.3/lib/guard/rspec_formatter.rb -f Guard::RSpecFormatter --failure-exit-code 2 spec/spec.rb" (exit code: 20)

Fix slow rspec on macOS – 10x speedup

For some reason rspec was running horribly slow on my macOS laptop, with a simple test suite taking over 30 seconds to run. This made TDD almost unbearable:

>rspec spec/features
Finished in 27.29 seconds (files took 33.71 seconds to load)
8 examples, 2 failures

After some googling, the recommended approach is to compile spring binstubs for rspec. For good hygiene, we’ll use bundler to do this, and use guard so we can leave a terminal window open on a second monitor and see test results automatically after saving code changes.

# edit /Gemfile
group :development do
gem 'guard'
gem 'guard-rspec'
gem 'spring'
gem 'spring-commands-rspec'
gem 'spring-watcher-listen'

>bundle install --path vendor/bundle --without=production --binstubs # install gems into vendor/bundle
>echo 'vendor/bundle' >> .gitignore # don't track installed gemfiles

Update 16/08/2020: I no longer install gems into ./vendor/bundle and instead let rbenv handle the location for me. I don’t believe this change in approach affects the meat of this article.

Now replace the bundler rails binstubs with updated rails gem versions and insert spring:

>bundle exec rails app:update:bin # now regenerate standard rails binstubs
>bin/rails app:update:bin # norly plox use teh rail binstubs
>bundle exec spring binstub --all # use spring versions of binstubs
>bundle exec guard init # create guard config file /Guardfile

Note: bin/rails can get overwritten by bundler and stop accepting commands eg “bin/rails server” will show the default output of “rails” instead of launching the server. This can be fixed by running “bundle binstubs railties” then updating the binstubs again as per the instructions above.

Running “bundle config –delete bin” will stop bundler from blatting bin/rails but this also means you will need to manually generate binstubs using eg “bundle binstubs cucumber”.

Note also that bundler pulls in config from $APP/.bundle/config and ~/.bundle.config, so disabling binstubs in your app folder can be overridden by your home directory config.

# edit /Guardfile
guard :rspec, cmd: “bundle exec bin/rspec”, failed_mode: :keep do

>bundle exec guard

Finished in 1.72 seconds (files took 3.17 seconds to load)
5 examples, 2 failures

From 33 seconds to 3 seconds. Nice!

Tip: now instead of using “bundle exec” rails or rake, use bin/$GEMNAME eg “bin/rails console”. The spring server running in the background will respond much faster than booting rails each time.