Skip to content
Permalink
Browse files

Deprecate secret_token, long since usurped by secret_key_base.

See the changelog entry.

Remove `secrets.secret_token` from the bug report templates,
since we don't accept bug reports for Rails versions that
don't support a `secret_key_base`.

[ claudiob & Kasper Timm Hansen ]
  • Loading branch information
kaspth committed Sep 28, 2017
1 parent 204c040 commit fbcc4bfe9a211e219da5d0bb01d894fcdaef0a0e
@@ -1,3 +1,15 @@
* Deprecate `secrets.secret_token`.

The architecture for secrets had a big upgrade between Rails 3 and Rails 4,
when the default changed from using `secret_token` to `secret_key_base`.

`secret_token` has been soft deprecated in documentation for four years
but is still in place to support apps created before Rails 4.
Deprecation warnings have been added to help developers upgrade their
applications to `secret_key_base`.

*claudiob*, *Kasper Timm Hansen*

* Return an instance of `HashWithIndifferentAccess` from `HashWithIndifferentAccess#transform_keys`.

*Yuji Yaginuma*
@@ -22,7 +22,6 @@
class TestApp < Rails::Application
config.root = __dir__
config.session_store :cookie_store, key: "cookie_store_key"
secrets.secret_token = "secret_token"
secrets.secret_key_base = "secret_key_base"

config.logger = Logger.new($stdout)
@@ -20,7 +20,6 @@

class TestApp < Rails::Application
config.root = __dir__
secrets.secret_token = "secret_token"
secrets.secret_key_base = "secret_key_base"

config.logger = Logger.new($stdout)
@@ -6,6 +6,7 @@
require "active_support/key_generator"
require "active_support/message_verifier"
require "active_support/encrypted_configuration"
require "active_support/deprecation"
require_relative "engine"
require_relative "secrets"

@@ -398,6 +399,11 @@ def secrets
# Fallback to config.secret_token if secrets.secret_token isn't set
secrets.secret_token ||= config.secret_token

if secrets.secret_token.present?
ActiveSupport::Deprecation.warn \
"`secrets.secret_token` is deprecated in favor of `secret_key_base` and will be removed in Rails 6.0."
end

secrets
end
end
@@ -487,6 +487,32 @@ def index
assert_equal "some_value", Rails.application.message_verifier(:sensitive_value).verify(message)
end

test "config.secret_token is deprecated" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
RUBY

app "production"

assert_deprecated(/secret_token/) do
app.secrets
end
end

test "secrets.secret_token is deprecated" do
app_file "config/secrets.yml", <<-YAML
production:
secret_token: "b3c631c314c0bbca50c1b2843150fe33"
YAML

app "production"

assert_deprecated(/secret_token/) do
app.secrets
end
end


test "raises when secret_key_base is blank" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.credentials.secret_key_base = nil

1 comment on commit fbcc4bf

@mjc-gh

This comment has been minimized.

Copy link
Contributor

@mjc-gh mjc-gh commented on fbcc4bf Sep 29, 2017

🎉 👍

Please sign in to comment.