Remove secret token from repo; use an environment variable instead.

Provide instructions for setting the env var in production and non-production environments.

README.md

@@ -88,6 +88,9 @@ Then update your gemset:
 
     $ gem install bundler && bundle install
 
+Copy the file `config/config.yml.sample` to `config/config.yml` and set a
+value for SECRET_TOKEN for both the development and test environments.
+
 And start the server:
 
     $ rails server

config/config.yml.sample

@@ -1,5 +1,13 @@
 # encoding: utf-8
 development:
+  # Your secret key for verifying the integrity of signed cookies.
+  # If you change this key, all old signed cookies will become invalid!
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # Used in config/initializers/secret_token.rb.
+  # You can generate a good value for this by running `rake secret`.
+  SECRET_TOKEN:
+
   # Twitter API stuff (these fake keys work)
   CONSUMER_KEY: asdf
   CONSUMER_SECRET: asdf
@@ -18,6 +26,7 @@ development:
     domain: localhost.localdomain
 
 test:
+  SECRET_TOKEN:
   CONSUMER_KEY: asdf
   CONSUMER_SECRET: asdf
   BLOG_URL:

config/initializers/secret_token.rb

@@ -4,4 +4,11 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-RstatUs::Application.config.secret_token = 'f9325a55f7a4306eee2f4faa38c8ec1650af793c71ef956d0ba02373f24ac08bd80a4c4f24e5520450e83101ea97c4d732256354fd8c2e34a38067575d800868'
+if ENV["SECRET_TOKEN"].blank?
+  if Rails.env.production?
+    raise "You must set ENV[\"SECRET_TOKEN\"] in your app's config vars"
+  else
+    raise "You must set SECRET_TOKEN in your config.yml"
+  end
+end
+RstatUs::Application.config.secret_token = ENV["SECRET_TOKEN"]