What is the proper way to handle Oauth Consumer Key and Secret in Rails?

Question

I have a Rails application that connects to Facebook using OAuth. I'm looking for is a full description of how to handle the OAuth key and secret I get from facebook.

1. Where to store them?
2. How to store them there? I saw an answer saying it should be an env variable, but I'm looking for specifics: How do add them to env? manually? script? what script? where should it be? what about source control? what about production?
3. Any other details that I should know in order to implement the solution in dev, test and production.

I've seen some variants of this question, but never with a complete and detailed answer.

I'm really looking for the overall flow, but also need all the small details that may look trivial but are important to understand this.

Answer 1

You'll want to store your secret keys and environment-specific configuration outside of your code. You should store these in a way that would allow you to publish your source code in a public repository on, say github, without ignoring any files in source control. This is a principle of the Twelve-Factor Methodology.

Anyway, to answer your question, you could add these keys as shell variables. This assumes you are developing on *nix.

$ echo "export OAUTH_SECRET='kie92j8fKEHHE92Va1njk3'" >> ~/.bash_profile

Now in your Rails code, you have access to all your environment variables:

ENV["OAUTH_SECRET"]

These environment variables can be set in a deploy script that prompts you for them on the command line. This also allows each developer on your team to have his or her own keys.

Answer 2

Most of the people create their own config.yml. It is very easy to do. Here is a detailed description for creating config.yml