Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Found the code. Looks like basic auth. And, I can't find any password hashing -- are they being stored in the clear?

Also the author checked in a credentials and a master key to github



I'm using Rails Devise[1] for user auth, and http basic auth for RSS. RSS Basic auth credentials are always auto-generated, and don't give access to anything other than fetching the RSS feed.

Rails uses the "master key" to let you check in encrypted database credentials. I don't use that but Rails still requires a key for deployment--so I just checked in a key. Rails is really designed for a codebase that matches to a single deployment so this is a bit of a workaround.

[1] https://github.com/heartcombo/devise


> I don't use that but Rails still requires a key for deployment--so I just checked in a key

It's safe to bet that someone will deploy this and use that master key instead of generating their own.


Yikes, huge red flags....


How long did it take you to discern all that?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: