Permalink
Browse files

Deprecate secret_token, long since usurped by secret_key_base.

See the changelog entry.

Remove `secrets.secret_token` from the bug report templates,
since we don't accept bug reports for Rails versions that
don't support a `secret_key_base`.

[ claudiob & Kasper Timm Hansen ]
  • Loading branch information...
kaspth committed Sep 28, 2017
1 parent 204c040 commit fbcc4bfe9a211e219da5d0bb01d894fcdaef0a0e
@@ -1,3 +1,15 @@
* Deprecate `secrets.secret_token`.
The architecture for secrets had a big upgrade between Rails 3 and Rails 4,
when the default changed from using `secret_token` to `secret_key_base`.
`secret_token` has been soft deprecated in documentation for four years
but is still in place to support apps created before Rails 4.
Deprecation warnings have been added to help developers upgrade their
applications to `secret_key_base`.
*claudiob*, *Kasper Timm Hansen*
* Return an instance of `HashWithIndifferentAccess` from `HashWithIndifferentAccess#transform_keys`.
*Yuji Yaginuma*
@@ -22,7 +22,6 @@
class TestApp < Rails::Application
config.root = __dir__
config.session_store :cookie_store, key: "cookie_store_key"
secrets.secret_token = "secret_token"
secrets.secret_key_base = "secret_key_base"
config.logger = Logger.new($stdout)
@@ -20,7 +20,6 @@
class TestApp < Rails::Application
config.root = __dir__
secrets.secret_token = "secret_token"
secrets.secret_key_base = "secret_key_base"
config.logger = Logger.new($stdout)
@@ -6,6 +6,7 @@
require "active_support/key_generator"
require "active_support/message_verifier"
require "active_support/encrypted_configuration"
require "active_support/deprecation"
require_relative "engine"
require_relative "secrets"
@@ -398,6 +399,11 @@ def secrets
# Fallback to config.secret_token if secrets.secret_token isn't set
secrets.secret_token ||= config.secret_token
if secrets.secret_token.present?
ActiveSupport::Deprecation.warn \
"`secrets.secret_token` is deprecated in favor of `secret_key_base` and will be removed in Rails 6.0."
end
secrets
end
end
@@ -487,6 +487,32 @@ def index
assert_equal "some_value", Rails.application.message_verifier(:sensitive_value).verify(message)
end
test "config.secret_token is deprecated" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.config.secret_token = "b3c631c314c0bbca50c1b2843150fe33"
RUBY
app "production"
assert_deprecated(/secret_token/) do
app.secrets
end
end
test "secrets.secret_token is deprecated" do
app_file "config/secrets.yml", <<-YAML
production:
secret_token: "b3c631c314c0bbca50c1b2843150fe33"
YAML
app "production"
assert_deprecated(/secret_token/) do
app.secrets
end
end
test "raises when secret_key_base is blank" do
app_file "config/initializers/secret_token.rb", <<-RUBY
Rails.application.credentials.secret_key_base = nil

1 comment on commit fbcc4bf

@mikeycgto

This comment has been minimized.

Contributor

mikeycgto commented on fbcc4bf Sep 29, 2017

🎉 👍

Please sign in to comment.