set auth_token to a generated UUID if AUTH_TOKEN not passed in ENV

[grahamb]

Fixes issue #191. If an AUTH_TOKEN ENV variable is not present, uses SecureRandom.uuid to generate a UUID to use as the token.

AUTH_TOKEN='foobarbaz' dashing start →settings.auth_token == 'foobarbaz'
dashing start → settings.auth_token == 'some-random-uuid-string'

[pseudomuto]

@grahamb would this create a new token each time the app ran if you didn't set the env var? If so, that could be annoying for people during development and could cause integration issues in production.

I really like the environment variable bit though!

Maybe we should:

• remove the 'YOUR_AUTH_TOKEN' default and use ENV['AUTH_TOKEN'] in templates/project/config.ru
• update Dashing::CLI#start to raise an error/warning if the environment variable is not set

@pushmatrix what are your thoughts?

[kmayer]

use ENV.fetch('AUTH_TOKEN') in config.ru; it will raise an error. Or add a proc with a better default.

[kmayer]

ENV.fetch('AUTH_TOKEN') { SecureRandom.uuid }

[kmayer]

There are subtle differences...

@y = 0
def y
  @y += 1
end

Example	X is unset	X is anything	X is nil	unset, second call
`ENV["X"]		y`	1	{anything}
ENV.fetch("X") { y }	1	{anything}	nil	2
ENV.fetch("X", y)	1	{anything}	nil	1

[terraboops]

I like this PR and the approach taken. Many people don't know how to use the auth token and this leaves their Dashing instances vulnerable to exploits. This PR would make them secure by default (random token).

I do however prefer @kmayer's syntax but no need to open a block: ENV.fetch('AUTH_TOKEN', SecureRandom.uuid). This is definitely a matter of personal preference though, as ENV['UNKOWN_KEY'] || true will return true just as surely as ENV.fetch('UNKOWN_KEY',true) will.

That being said, @pseudomuto brings up a good point: that this would be a (small, but) breaking change. Not sure how to resolve that.