docs/authentication.md in bullet_train-1.7.13 vs docs/authentication.md in bullet_train-1.7.14

- old
+ new

@@ -22,10 +22,51 @@ If you want to disable new registrations completely, put an unguessable value into `INVITATION_KEYS` and keep it secret. Note that in both of these scenarios that existing users will still be able to invite new collaborators to their teams and those collaborators will have the option of creating a new account, but no users in the application will be allowed to create a new team without an invitation code and following the above URL. ## Enabling Two-Factor Authentication (2FA) -Two-factor authentication is enabled by default in Bullet Train, but you must have Rails built-in encrypted secrets and Active Record Encryption configured. To do this, just run: +Two-factor authentication is enabled by default in Bullet Train, but you must have Rails built-in encrypted secrets and Active Record Encryption configured. +To do this, first run: + ``` bin/secrets ``` + +That will generate some credentails files for you. + +Then you'll need to set encryption keys, either in those newly generated credentials files, or you can do it via environment variables. + +Generate some keys by running: + +``` +bin/rails db:encryption:init +``` + +That will output something like this: + +``` +active_record_encryption: + primary_key: NLngkt... + deterministic_key: edpu... + key_derivation_salt: Bfwy... +``` + +Then to add them to your `development` credentials file run: + +``` +bin/rails credentials:edit --environment development +``` + +That will decrypt `config/credentials/development.yml.enc` and open it in your editor. Paste in the block of keys you generated in the previous step, save, and close the file. + +If you'd rather set them via environment variables you could add something like this to `config/application.rb`: + +``` +config.active_record.encryption.primary_key = ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] +config.active_record.encryption.deterministic_key = ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] +config.active_record.encryption.key_derivation_salt = ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] +``` + +And then populate those ENV variables by whatever means you use. (Maybe setting them in `.env` or possibly exporting them directly.) + +After you have things working in development you'll need to follow the same process for your production environment, and any others.