Fix config.secret_key_base warning about secrets

Using `config.secret_key_base` currently raises a deprecation warning when used in production because `config.secret_key_base` gets merged into the `secrets` hash instead of being looked up specifically in the `secret_key_base` method. This commit addresses this by not raising a deprecation warning if `secrets.secret_key_base` and `config.secret_key_base` are the same object (meaning `config.secret_key_base` was merged into `secrets). Additionally, an improved deprecation warning is added for apps that continue to set `secret_key_base` in their secrets. The current warning is not great because it isn't directly actionable for users. Currently they will see the warning, not see `secrets` being referenced in their app, and potentially end up confused. The new warning helps users understand the actual change they need to make: not removing a reference to `secrets` but moving `secret_key_base` out of `secrets`.
rails · Oct 29, 2023 · 1abd331 · 1abd331
1 parent 77f7b8c
commit 1abd331
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
@@ -477,7 +477,21 @@ def secret_key_base
         config.secret_key_base ||= generate_local_secret
       else
         validate_secret_key_base(
-          ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base
+          ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || begin
+            secret_skb = secrets_secret_key_base
+
+            if secret_skb.equal?(config.secret_key_base)
+              config.secret_key_base
+            else
+              Rails.deprecator.warn(<<~MSG.squish)
+                Your `secret_key_base is configured in `Rails.application.secrets`,
+                which is deprecated in favor of `Rails.application.credentials` and
+                will be removed in Rails 7.2.
+              MSG
+
+              secret_skb
+            end
+          end
         )
       end
     end

diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
@@ -947,6 +947,20 @@ def index
       assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secret_key_base
     end
 
+    test "config.secret_key_base does not lead to a deprecation" do
+      remove_file "config/secrets.yml"
+      app_file "config/initializers/secret_token.rb", <<-RUBY
+        Rails.application.credentials.secret_key_base = nil
+        Rails.application.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c3"
+      RUBY
+
+      app "production"
+
+      assert_not_deprecated(Rails.deprecator) do
+        assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secret_key_base
+      end
+    end
+
     test "custom secrets saved in config/secrets.yml are loaded in app secrets" do
       app_file "config/secrets.yml", <<-YAML
         development: