Deprecate secret_token, long since usurped by secret_key_base.

See the changelog entry.

Remove `secrets.secret_token` from the bug report templates,
since we don't accept bug reports for Rails versions that
don't support a `secret_key_base`.

[ claudiob & Kasper Timm Hansen ]

activesupport/CHANGELOG.md

@@ -1,3 +1,15 @@
+*   Deprecate `secrets.secret_token`.
+
+    The architecture for secrets had a big upgrade between Rails 3 and Rails 4,
+    when the default changed from using `secret_token` to `secret_key_base`.
+
+    `secret_token` has been soft deprecated in documentation for four years
+    but is still in place to support apps created before Rails 4.
+    Deprecation warnings have been added to help developers upgrade their
+    applications to `secret_key_base`.
+
+    *claudiob*, *Kasper Timm Hansen*
+
 *   Return an instance of `HashWithIndifferentAccess` from `HashWithIndifferentAccess#transform_keys`.
 
     *Yuji Yaginuma*

guides/bug_report_templates/action_controller_gem.rb

@@ -22,7 +22,6 @@
 class TestApp < Rails::Application
   config.root = __dir__
   config.session_store :cookie_store, key: "cookie_store_key"
-  secrets.secret_token    = "secret_token"
   secrets.secret_key_base = "secret_key_base"
 
   config.logger = Logger.new($stdout)

guides/bug_report_templates/action_controller_master.rb

@@ -20,7 +20,6 @@
 
 class TestApp < Rails::Application
   config.root = __dir__
-  secrets.secret_token    = "secret_token"
   secrets.secret_key_base = "secret_key_base"
 
   config.logger = Logger.new($stdout)

railties/lib/rails/application.rb

@@ -6,6 +6,7 @@
 require "active_support/key_generator"
 require "active_support/message_verifier"
 require "active_support/encrypted_configuration"
+require "active_support/deprecation"
 require_relative "engine"
 require_relative "secrets"
 
@@ -398,6 +399,11 @@ def secrets
         # Fallback to config.secret_token if secrets.secret_token isn't set
         secrets.secret_token ||= config.secret_token
 
+        if secrets.secret_token.present?
+          ActiveSupport::Deprecation.warn \
+            "`secrets.secret_token` is deprecated in favor of `secret_key_base` and will be removed in Rails 6.0."
+        end
+
         secrets
       end
     end

railties/test/application/configuration_test.rb

@@ -487,6 +487,32 @@ def index
       assert_equal "some_value", Rails.application.message_verifier(:sensitive_value).verify(message)
     end
 
+    test "config.secret_token is deprecated" do
+      app_file "config/initializers/secret_token.rb", <<-RUBY
+        Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
+      RUBY
+
+      app "production"
+
+      assert_deprecated(/secret_token/) do
+        app.secrets
+      end
+    end
+
+    test "secrets.secret_token is deprecated" do
+      app_file "config/secrets.yml", <<-YAML
+        production:
+          secret_token: "b3c631c314c0bbca50c1b2843150fe33"
+      YAML
+
+      app "production"
+
+      assert_deprecated(/secret_token/) do
+        app.secrets
+      end
+    end
+
+
     test "raises when secret_key_base is blank" do
       app_file "config/initializers/secret_token.rb", <<-RUBY
         Rails.application.credentials.secret_key_base = nil