Rename config.cookie_secret to config.secret_token and pass it as configuration in request.env. This is another step forward removing global configuration.

8 files changed, 37 insertions, 33 deletions

diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index d2118ec483..1dfc240029 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -2,7 +2,7 @@ module ActionController
   class Base < Metal
     abstract!
 
-    def self.modules_without(*modules)
+    def self.without_modules(*modules)
       modules = modules.map do |m|
         m.is_a?(Symbol) ? ActionController.const_get(m) : m
       end
diff --git a/actionpack/lib/action_controller/deprecated/base.rb b/actionpack/lib/action_controller/deprecated/base.rb
index 51d1e23753..05551ffee4 100644
--- a/actionpack/lib/action_controller/deprecated/base.rb
+++ b/actionpack/lib/action_controller/deprecated/base.rb
@@ -77,14 +77,11 @@ module ActionController
 
       def cookie_verifier_secret=(value)
         ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret= is deprecated. " <<
-          "Please configure it on your application with config.cookie_secret=", caller
-        ActionController::Base.config.secret = value
+          "Please configure it on your application with config.secret_token=", caller
       end
 
       def cookie_verifier_secret
-        ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated. " <<
-          "Please use ActionController::Base.config.secret instead.", caller
-        ActionController::Base.config.secret
+        ActiveSupport::Deprecation.warn "ActionController::Base.cookie_verifier_secret is deprecated.", caller
       end
 
       def trusted_proxies=(value)
diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb
index 4aaa705203..d787f014cd 100644
--- a/actionpack/lib/action_controller/metal/cookies.rb
+++ b/actionpack/lib/action_controller/metal/cookies.rb
@@ -10,8 +10,7 @@ module ActionController #:nodoc:
 
     private
       def cookies
-        raise "You must set config.cookie_secret in your app's config" if config.secret.blank?
-        request.cookie_jar(:signing_secret => config.secret)
+        request.cookie_jar
       end
   end
 end
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 424828f7e8..6bd6c15990 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -159,7 +159,7 @@ module ActionController
 
         # Authenticate with HTTP Digest, returns true or false
         def authenticate_with_http_digest(realm = "Application", &password_procedure)
-          HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure)
+          HttpAuthentication::Digest.authenticate(request, realm, &password_procedure)
         end
 
         # Render output including the HTTP Digest authentication header
@@ -169,14 +169,15 @@ module ActionController
       end
 
       # Returns false on a valid response, true otherwise
-      def authenticate(secret_key, request, realm, &password_procedure)
-        request.authorization && validate_digest_response(secret_key, request, realm, &password_procedure)
+      def authenticate(request, realm, &password_procedure)
+        request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
 
       # Returns false unless the request credentials response value matches the expected value.
       # First try the password as a ha1 digest password. If this fails, then try it as a plain
       # text password.
-      def validate_digest_response(secret_key, request, realm, &password_procedure)
+      def validate_digest_response(request, realm, &password_procedure)
+        secret_key  = secret_token(request)
         credentials = decode_credentials_header(request)
         valid_nonce = validate_nonce(secret_key, request, credentials[:nonce])
 
@@ -225,7 +226,7 @@ module ActionController
       end
 
       def authentication_header(controller, realm)
-        secret_key = controller.config.secret
+        secret_key = secret_token(controller.request)
         nonce = self.nonce(secret_key)
         opaque = opaque(secret_key)
         controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}")
@@ -238,6 +239,12 @@ module ActionController
         controller.status = 401
       end
 
+      def secret_token(request)
+        secret = request.env["action_dispatch.secret_token"]
+        raise "You must set config.secret_token in your app's config" if secret.blank?
+        secret
+      end
+
       # Uses an MD5 digest based on time to generate a value to be used only once.
       #
       # A server-specified data string which should be uniquely generated each time a 401 response is made.
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index 29d8523ee1..030ba4ec48 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -51,7 +51,6 @@ module ActionController
       ac.assets_dir      = paths.public.to_a.first
       ac.javascripts_dir = paths.public.javascripts.to_a.first
       ac.stylesheets_dir = paths.public.stylesheets.to_a.first
-      ac.secret          = app.config.cookie_secret
 
       ActiveSupport.on_load(:action_controller) do
         self.config.merge!(ac)
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 71dcac9e94..42ab1d1ebb 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -1,7 +1,9 @@
+require "active_support/core_ext/object/blank"
+
 module ActionDispatch
   class Request
-    def cookie_jar(config = {})
-      env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self, config)
+    def cookie_jar
+      env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self)
     end
   end
 
@@ -51,17 +53,17 @@ module ActionDispatch
   #   only HTTP. Defaults to +false+.
   class Cookies
     class CookieJar < Hash #:nodoc:
-      def self.build(request, config = {})
-        new(config).tap do |hash|
+      def self.build(request)
+        secret = request.env["action_dispatch.secret_token"]
+        new(secret).tap do |hash|
           hash.update(request.cookies)
         end
       end
 
-      def initialize(config = {})
-        @config = config
+      def initialize(secret=nil)
+        @secret = secret
         @set_cookies = {}
         @delete_cookies = {}
-
         super()
       end
 
@@ -112,7 +114,7 @@ module ActionDispatch
       #   cookies.permanent.signed[:remember_me] = current_user.id
       #   # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
       def permanent
-        @permanent ||= PermanentCookieJar.new(self, @config)
+        @permanent ||= PermanentCookieJar.new(self, @secret)
       end
 
       # Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from
@@ -120,7 +122,7 @@ module ActionDispatch
       # cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will
       # be raised.
       #
-      # This jar requires that you set a suitable secret for the verification on your app's config.cookie_secret.
+      # This jar requires that you set a suitable secret for the verification on your app's config.secret_token.
       #
       # Example:
       #
@@ -129,7 +131,7 @@ module ActionDispatch
       #
       #   cookies.signed[:discount] # => 45
       def signed
-        @signed ||= SignedCookieJar.new(self, @config)
+        @signed ||= SignedCookieJar.new(self, @secret)
       end
 
       def write(response)
@@ -139,9 +141,8 @@ module ActionDispatch
     end
 
     class PermanentCookieJar < CookieJar #:nodoc:
-      def initialize(parent_jar, config = {})
-        @parent_jar = parent_jar
-        @config = config
+      def initialize(parent_jar, secret)
+        @parent_jar, @secret = parent_jar, secret
       end
 
       def []=(key, options)
@@ -156,7 +157,7 @@ module ActionDispatch
       end
 
       def signed
-        @signed ||= SignedCookieJar.new(self, @config)
+        @signed ||= SignedCookieJar.new(self, @secret)
       end
 
       def method_missing(method, *arguments, &block)
@@ -165,11 +166,10 @@ module ActionDispatch
     end
 
     class SignedCookieJar < CookieJar #:nodoc:
-      def initialize(parent_jar, config = {})
-        raise 'Missing cookie signing secret' if config[:signing_secret].blank?
+      def initialize(parent_jar, secret)
+        raise "You must set config.secret_token in your app's config" if secret.blank?
         @parent_jar = parent_jar
-        @config = config
-        @verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret])
+        @verifier   = ActiveSupport::MessageVerifier.new(secret)
       end
 
       def [](name)
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 3331b7c25e..88ba941676 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -192,7 +192,7 @@ module ActionDispatch
           if secret.blank?
             raise ArgumentError, "A secret is required to generate an " +
               "integrity hash for cookie session data. Use " +
-              "config.cookie_secret = \"some secret phrase of at " +
+              "config.secret_token = \"some secret phrase of at " +
               "least #{SECRET_MIN_LENGTH} characters\"" +
               "in config/application.rb"
           end
diff --git a/actionpack/lib/action_dispatch/testing/test_request.rb b/actionpack/lib/action_dispatch/testing/test_request.rb
index 090e03cf44..b3e67f6e36 100644
--- a/actionpack/lib/action_dispatch/testing/test_request.rb
+++ b/actionpack/lib/action_dispatch/testing/test_request.rb
@@ -1,4 +1,5 @@
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/hash/reverse_merge'
 
 module ActionDispatch
   class TestRequest < Request
@@ -9,6 +10,7 @@ module ActionDispatch
     end
 
     def initialize(env = {})
+      env = Rails.application.env_defaults.merge(env) if defined?(Rails.application)
       super(DEFAULT_ENV.merge(env))
 
       self.host        = 'test.host'