angular_csrf 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 95e75e2f469c61150a318e60a4ce6e371c4adefb
+  data.tar.gz: ed12d8d03ed7d95b1738e4002e499baa755409ce
+SHA512:
+  metadata.gz: 941795f53de3d76c9621ccd1fae633e402b21b8d2ea606f9324a503ad256820ececa659743a9a0b3da0cb81c61fb4a50bb5418b1164fc429ead8d24d2fc38e0e
+  data.tar.gz: 1928154628be02e35c76c90c87c7f6d0c353b8b680e65a47e090b7afeaabdbfef779228580d27119db37c9cacd91aba0ef3d45d9b7b0c5026ed8273472a80207

data/README.md

@@ -0,0 +1,54 @@
+angular_csrf                                                                                       
+=============
+
+Extends Rails CSRF protection to play nicely with AngularJS.
+
+[![Build Status](https://travis-ci.org/Sinbadsoft/angular_csrf.svg)](https://travis-ci.org/Sinbadsoft/angular_csrf)
+
+CSRF is an exploit that allows malicious websites to do unauthorized actions on a website that trusts the user.
+The angular_csrf gem extends the CSRF protection in Rails to match the naming convention used in AngularJS for the HTTP
+header and cookie token names
+(see [Cookie-to-Header Token](http://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) CSRF
+protection strategy for more details).
+
+Once installed, angular_csrf "just works": No need to change or configure neither the AngularJS javascript code nor the
+Rails application.
+
+angular_csrf has a very small footprint and has only the rails gem as dependency.
+
+## Getting Started
+
+1. Add the following line to your `Gemfile`:
+  ```ruby
+  gem 'angular_csrf'
+  ```
+  
+  Run the bundle command to install it.
+  ```sh
+  bundle install
+  ```
+2. Run the angular_csrf generator:
+  ```sh
+  rails generate angular_csrf
+  ```
+  
+  The generator will install an initializer `initializers/angular_csrf.rb` which takes care of extending
+  the application controllers to handle the expected AngularJS CSRF protection data.
+3. You are done! Your app CSRF protection now plays nicely with AngularJS.
+
+## How it works
+
+AngularJS [deals with CSRF protection](https://docs.angularjs.org/api/ng/service/$http#cross-site-request-forgery-xsrf-protection) as follows:
+* Reads the CSRF protection token form a cookie, by default `XSRF-TOKEN`
+* Sends back the CSRF token as a http header, by default: `X-XSRF-TOKEN`
+
+angular_csrf makes the Rails application or API set the expected cookie token and read validate the
+http header sent by AngularJS. angular_csrf installs a Rails initializer
+[that extends the application controllers](https://github.com/Sinbadsoft/angular_csrf/blob/master/lib/angular_csrf.rb)
+to perform these tasks.
+
+## License
+
+Licensed under the [MIT License](http://opensource.org/licenses/MIT).
+
+Copyright Sinbadsoft.

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/lib/angular_csrf.rb

@@ -0,0 +1,21 @@
+module AngularCsrf
+  ANGULAR_CSRF_COOKIE_NAME = 'XSRF-TOKEN'
+  ANGULAR_CSRF_HEADER_NAME = 'X-XSRF-Token'
+
+  def self.setup
+    ActiveSupport.on_load(:action_controller) do
+      after_action :set_csrf_cookie_for_angular_js
+
+      define_method :set_csrf_cookie_for_angular_js do
+        cookies[ANGULAR_CSRF_COOKIE_NAME] = form_authenticity_token if protect_against_forgery?
+      end
+      private :set_csrf_cookie_for_angular_js
+
+      define_method :verified_request_with_angular_header? do
+        verified_request_without_angular_header? ||
+          form_authenticity_token == request.headers[ANGULAR_CSRF_HEADER_NAME]
+      end
+      alias_method_chain :verified_request?, :angular_header
+    end
+  end
+end

data/lib/generators/angular_csrf/USAGE

@@ -0,0 +1,9 @@
+Description:
+    Patches the application controllers in order to emit the CSRF cookie
+    and set the HTTP header used by AngularJS to handle CSRF protection.
+
+Example:
+    rails generate angular_csrf
+
+    This will create:
+        initializers/angular_csrf.rb

data/lib/generators/angular_csrf/angular_csrf_generator.rb

@@ -0,0 +1,7 @@
+class AngularCsrfGenerator < Rails::Generators::Base
+  source_root File.expand_path('../templates', __FILE__)
+
+  def copy_initializer_file
+    copy_file 'angular_csrf.rb', 'config/initializers/angular_csrf.rb'
+  end
+end

data/lib/generators/angular_csrf/templates/angular_csrf.rb

@@ -0,0 +1 @@
+AngularCsrf.setup

data/lib/version.rb

@@ -0,0 +1,3 @@
+module AngularCsrf
+  VERSION = '0.1.0'
+end

data/spec/angular_csrf_spec.rb

@@ -0,0 +1,33 @@
+require 'rails_helper'
+
+describe 'angular_csrf', type: :request do
+  it 'sets expected AngularJS csrf cookie' do
+    get '/'
+    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to_not be_nil
+    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to eq(session[:_csrf_token])
+  end
+
+  it 'checks AngularJS csrf http header for csrf protection' do
+    get '/'
+    post '/', { }, AngularCsrf::ANGULAR_CSRF_HEADER_NAME => session[:_csrf_token]
+    expect(response.status).to eq(201)
+  end
+
+  it 'not modify behavior for default csrf http header' do
+    get '/'
+    post '/', { }, 'X-CSRF-Token' => session[:_csrf_token]
+    expect(response.status).to eq(201)
+  end
+
+  it 'changes AngularJS csrf cookie value on csrf token change' do
+    get '/'
+    old_csrf_token = session[:_csrf_token]
+
+    post '/create_and_reset_session', { },
+         AngularCsrf::ANGULAR_CSRF_HEADER_NAME => response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]
+    expect(response.status).to eq(201)
+
+    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to_not eq(old_csrf_token)
+    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to eq(session[:_csrf_token])
+  end
+end

data/spec/rails_app/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gem 'rails', '4.1.7'
+gem 'angular_csrf', path: '../../'

data/spec/rails_app/Gemfile.lock

@@ -0,0 +1,86 @@
+PATH
+  remote: ../../
+  specs:
+    angular_csrf (0.1.0)
+      rails (>= 3.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (4.1.7)
+      actionpack (= 4.1.7)
+      actionview (= 4.1.7)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.1.7)
+      actionview (= 4.1.7)
+      activesupport (= 4.1.7)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.7)
+      activesupport (= 4.1.7)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.7)
+      activesupport (= 4.1.7)
+      builder (~> 3.1)
+    activerecord (4.1.7)
+      activemodel (= 4.1.7)
+      activesupport (= 4.1.7)
+      arel (~> 5.0.0)
+    activesupport (4.1.7)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    arel (5.0.1.20140414130214)
+    builder (3.2.2)
+    erubis (2.7.0)
+    hike (1.2.3)
+    i18n (0.6.11)
+    json (1.8.1)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.4.3)
+    minitest (5.4.2)
+    multi_json (1.10.1)
+    rack (1.5.2)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rails (4.1.7)
+      actionmailer (= 4.1.7)
+      actionpack (= 4.1.7)
+      actionview (= 4.1.7)
+      activemodel (= 4.1.7)
+      activerecord (= 4.1.7)
+      activesupport (= 4.1.7)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.7)
+      sprockets-rails (~> 2.0)
+    railties (4.1.7)
+      actionpack (= 4.1.7)
+      activesupport (= 4.1.7)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.3.2)
+    sprockets (2.12.3)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.2.0)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    thor (0.19.1)
+    thread_safe (0.3.4)
+    tilt (1.4.1)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  angular_csrf!
+  rails (= 4.1.7)

data/spec/rails_app/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/spec/rails_app/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/spec/rails_app/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/spec/rails_app/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception
+end

data/spec/rails_app/app/controllers/guinea_pig_controller.rb

@@ -0,0 +1,14 @@
+class GuineaPigController < ApplicationController
+  def index
+    head :ok
+  end
+
+  def create
+    head :created
+  end
+
+  def create_and_reset_session
+    reset_session
+    head :created
+  end
+end

data/spec/rails_app/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/spec/rails_app/app/views/layouts/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>RailsApp</title>
+  <%= stylesheet_link_tag    'application', media: 'all' %>
+  <%= javascript_include_tag 'application' %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/spec/rails_app/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

data/spec/rails_app/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'

data/spec/rails_app/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/spec/rails_app/config/application.rb

@@ -0,0 +1,31 @@
+require File.expand_path('../boot', __FILE__)
+
+# Pick the frameworks you want:
+require "active_model/railtie"
+# require "active_record/railtie"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+# require "action_view/railtie"
+# require "sprockets/railtie"
+# require "rails/test_unit/railtie"
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+
+module RailsApp
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+  end
+end

data/spec/rails_app/config/boot.rb

@@ -0,0 +1,4 @@
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/spec/rails_app/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require File.expand_path('../application', __FILE__)
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/spec/rails_app/config/environments/development.rb

@@ -0,0 +1,25 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send.
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/spec/rails_app/config/environments/production.rb

@@ -0,0 +1,64 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.cache_classes = true
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
+  # config.action_dispatch.rack_cache = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this).
+  config.serve_static_assets = false
+
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # Set to :debug to see everything in the log.
+  config.log_level = :info
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Disable automatic flushing of the log to improve performance.
+  # config.autoflush_log = false
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+end

data/spec/rails_app/config/environments/test.rb

@@ -0,0 +1,39 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static asset server for tests with Cache-Control for performance.
+  config.serve_static_assets  = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = true
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/spec/rails_app/config/initializers/angular_csrf.rb

@@ -0,0 +1 @@
+AngularCsrf.setup

data/spec/rails_app/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/spec/rails_app/config/initializers/cookies_serializer.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.action_dispatch.cookies_serializer = :json

data/spec/rails_app/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/spec/rails_app/config/initializers/inflections.rb

@@ -0,0 +1,16 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end

data/spec/rails_app/config/initializers/mime_types.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf

data/spec/rails_app/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: '_rails_app_session'

data/spec/rails_app/config/initializers/wrap_parameters.rb

@@ -0,0 +1,9 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end

data/spec/rails_app/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/spec/rails_app/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+  get '/', to: 'guinea_pig#index'
+  post '/', to: 'guinea_pig#create'
+  post '/create_and_reset_session', to: 'guinea_pig#create_and_reset_session'
+end

data/spec/rails_app/config/secrets.yml

@@ -0,0 +1,22 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you're sharing your code publicly.
+
+development:
+  secret_key_base: 0dad1f487d3c644521a79bbaae278292e49d65d1eb3ea4661155babc2c7f39d4f2ddd66d8669e1bf4cef544f8d1c1093f07efcf9642cdbe0cca165918138bce6
+
+test:
+  secret_key_base: be7a3f49499bd1e57a3936c6ae105d01737ac2b59790abea04514163c4e274dd29802a1be141fdf79b160b83dbea76ef37b7824668f4ad2d858fcdc2e1f5139a
+
+# Do not keep production secrets in the repository,
+# instead read values from the environment.
+production:
+  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

data/spec/rails_app/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails.application

data/spec/rails_app/db/seeds.rb

@@ -0,0 +1,7 @@
+# This file should contain all the record creation needed to seed the database with its default values.
+# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
+#
+# Examples:
+#
+#   cities = City.create([{ name: 'Chicago' }, { name: 'Copenhagen' }])
+#   Mayor.create(name: 'Emanuel', city: cities.first)