From 1abd331ff8b03a2f7325d3ba93a055ca7ad858b4 Mon Sep 17 00:00:00 2001 From: Hartley McGuire Date: Sun, 29 Oct 2023 19:00:46 -0400 Subject: [PATCH] Fix config.secret_key_base warning about secrets Using `config.secret_key_base` currently raises a deprecation warning when used in production because `config.secret_key_base` gets merged into the `secrets` hash instead of being looked up specifically in the `secret_key_base` method. This commit addresses this by not raising a deprecation warning if `secrets.secret_key_base` and `config.secret_key_base` are the same object (meaning `config.secret_key_base` was merged into `secrets). Additionally, an improved deprecation warning is added for apps that continue to set `secret_key_base` in their secrets. The current warning is not great because it isn't directly actionable for users. Currently they will see the warning, not see `secrets` being referenced in their app, and potentially end up confused. The new warning helps users understand the actual change they need to make: not removing a reference to `secrets` but moving `secret_key_base` out of `secrets`. --- railties/lib/rails/application.rb | 16 +++++++++++++++- railties/test/application/configuration_test.rb | 14 ++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index c3b0302a2cca1..2aba669522652 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -477,7 +477,21 @@ def secret_key_base config.secret_key_base ||= generate_local_secret else validate_secret_key_base( - ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base + ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || begin + secret_skb = secrets_secret_key_base + + if secret_skb.equal?(config.secret_key_base) + config.secret_key_base + else + Rails.deprecator.warn(<<~MSG.squish) + Your `secret_key_base is configured in `Rails.application.secrets`, + which is deprecated in favor of `Rails.application.credentials` and + will be removed in Rails 7.2. + MSG + + secret_skb + end + end ) end end diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index d198b7948b7c1..fd88d6da5e9f5 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -947,6 +947,20 @@ def index assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secret_key_base end + test "config.secret_key_base does not lead to a deprecation" do + remove_file "config/secrets.yml" + app_file "config/initializers/secret_token.rb", <<-RUBY + Rails.application.credentials.secret_key_base = nil + Rails.application.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c3" + RUBY + + app "production" + + assert_not_deprecated(Rails.deprecator) do + assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secret_key_base + end + end + test "custom secrets saved in config/secrets.yml are loaded in app secrets" do app_file "config/secrets.yml", <<-YAML development: