Devise Secret value Distribution

[Wilfongjt]

Distribution of devise_secret value

devise_secret allows AAD to send outgoing email. We've been using SF's SMTP server (we are so bad) and now we are switching over to our own SMTP server which requires our own devise_secret. Anyway, we need to address how to distribute the devise_secret to developers without putting it into the repo.

Problem:

• a devise_secret can only be provisoned to developers by the Heroku admin
• admins shouldn't have to do distribute the devise_secret value

Solution:

• mitigate the distribution problem by NOT distributing the devise_secret
• turn off access to SMTP related code when devise_serect not found
• provide user/developer with console warning about the missing value.
• setup a unit test to detect the missing devise_secret environment variable
• point the developer to instructions on configuring an email solution

[jacebrowning]

devise_secret allows AAD to send outgoing email

Does it?

My understanding is the secret is simply a pseudorandomly generated value ($ rails secret) used to encrypt account data on the server. I don't believe there is any risk involved in sharing a secret for local development as long as that secret is distinct from production.