Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Deprecate secret_token, long since usurped by secret_key_base.
See the changelog entry.

Remove `secrets.secret_token` from the bug report templates,
since we don't accept bug reports for Rails versions that
don't support a `secret_key_base`.

[ claudiob & Kasper Timm Hansen ]
  • Loading branch information
kaspth committed Sep 28, 2017
1 parent 204c040 commit fbcc4bf
Show file tree
Hide file tree
Showing 5 changed files with 44 additions and 2 deletions.
12 changes: 12 additions & 0 deletions activesupport/CHANGELOG.md
@@ -1,3 +1,15 @@
* Deprecate `secrets.secret_token`.

The architecture for secrets had a big upgrade between Rails 3 and Rails 4,
when the default changed from using `secret_token` to `secret_key_base`.

`secret_token` has been soft deprecated in documentation for four years
but is still in place to support apps created before Rails 4.
Deprecation warnings have been added to help developers upgrade their
applications to `secret_key_base`.

*claudiob*, *Kasper Timm Hansen*

* Return an instance of `HashWithIndifferentAccess` from `HashWithIndifferentAccess#transform_keys`.

*Yuji Yaginuma*
Expand Down
1 change: 0 additions & 1 deletion guides/bug_report_templates/action_controller_gem.rb
Expand Up @@ -22,7 +22,6 @@
class TestApp < Rails::Application
config.root = __dir__
config.session_store :cookie_store, key: "cookie_store_key"
secrets.secret_token = "secret_token"
secrets.secret_key_base = "secret_key_base"

config.logger = Logger.new($stdout)
Expand Down
1 change: 0 additions & 1 deletion guides/bug_report_templates/action_controller_master.rb
Expand Up @@ -20,7 +20,6 @@

class TestApp < Rails::Application
config.root = __dir__
secrets.secret_token = "secret_token"
secrets.secret_key_base = "secret_key_base"

config.logger = Logger.new($stdout)
Expand Down
6 changes: 6 additions & 0 deletions railties/lib/rails/application.rb
Expand Up @@ -6,6 +6,7 @@
require "active_support/key_generator"
require "active_support/message_verifier"
require "active_support/encrypted_configuration"
require "active_support/deprecation"
require_relative "engine"
require_relative "secrets"

Expand Down Expand Up @@ -398,6 +399,11 @@ def secrets
# Fallback to config.secret_token if secrets.secret_token isn't set
secrets.secret_token ||= config.secret_token

if secrets.secret_token.present?
ActiveSupport::Deprecation.warn \
"`secrets.secret_token` is deprecated in favor of `secret_key_base` and will be removed in Rails 6.0."
end

secrets
end
end
Expand Down
26 changes: 26 additions & 0 deletions railties/test/application/configuration_test.rb
Expand Up @@ -487,6 +487,32 @@ def index
assert_equal "some_value", Rails.application.message_verifier(:sensitive_value).verify(message)
end

test "config.secret_token is deprecated" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
RUBY

app "production"

assert_deprecated(/secret_token/) do
app.secrets
end
end

test "secrets.secret_token is deprecated" do
app_file "config/secrets.yml", <<-YAML
production:
secret_token: "b3c631c314c0bbca50c1b2843150fe33"
YAML

app "production"

assert_deprecated(/secret_token/) do
app.secrets
end
end


test "raises when secret_key_base is blank" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.credentials.secret_key_base = nil
Expand Down

1 comment on commit fbcc4bf

@mjc-gh
Copy link
Contributor

@mjc-gh mjc-gh commented on fbcc4bf Sep 29, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 👍

Please sign in to comment.