6 files changed, 43 insertions, 10 deletions

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index 9ef001c7d0..f22025d35e 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -1,5 +1,7 @@
 require 'fileutils'
 require 'active_support/queueing'
+# FIXME remove DummyKeyGenerator and this require in 4.1
+require 'active_support/key_generator'
 require 'rails/engine'
 
 module Rails
@@ -106,7 +108,11 @@ module Rails
     def key_generator
       # number of iterations selected based on consultation with the google security
       # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
-      @key_generator ||= ActiveSupport::KeyGenerator.new(config.secret_token, iterations: 1000)
+      @key_generator ||= if config.secret_token_key
+                           ActiveSupport::KeyGenerator.new(config.secret_token_key, iterations: 1000)
+                         else
+                           ActiveSupport::DummyKeyGenerator.new(config.secret_token)
+                         end
     end
 
     # Stores some of the Rails initial environment parameters which
@@ -119,6 +125,7 @@ module Rails
     #   * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
     #   * "action_dispatch.logger"                   => Rails.logger,
     #   * "action_dispatch.backtrace_cleaner"        => Rails.backtrace_cleaner
+    #   * "action_dispatch.key_generator"            => key_generator
     #
     # These parameters will be used by middlewares and engines to configure themselves
     #
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index cc21213f1c..b01b97aa67 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -10,12 +10,12 @@ module Rails
                     :cache_classes, :cache_store, :consider_all_requests_local, :console,
                     :eager_load, :exceptions_app, :file_watcher, :filter_parameters,
                     :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags,
-                    :railties_order, :relative_url_root, :secret_token,
+                    :railties_order, :relative_url_root, :secret_token_key,
                     :serve_static_assets, :ssl_options, :static_cache_control, :session_options,
                     :time_zone, :reload_classes_only_on_change,
                     :queue, :queue_consumer, :beginning_of_week
 
-      attr_writer :log_level
+      attr_writer :secret_token, :log_level
       attr_reader :encoding
 
       def initialize(*)
@@ -46,6 +46,8 @@ module Rails
         @queue                         = ActiveSupport::SynchronousQueue.new
         @queue_consumer                = nil
         @eager_load                    = nil
+        @secret_token                  = nil
+        @secret_token_key              = nil
 
         @assets = ActiveSupport::OrderedOptions.new
         @assets.enabled                  = false
@@ -144,6 +146,10 @@ module Rails
       def whiny_nils=(*)
         ActiveSupport::Deprecation.warn "config.whiny_nils option is deprecated and no longer works"
       end
+
+      def secret_token
+        @secret_token_key || @secret_token
+      end
     end
   end
 end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt
index 3c5611ca59..d96185ae2a 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt
@@ -7,6 +7,6 @@
 # no regular words or you'll be exposed to dictionary attacks.
 # You can use `rake secret` to generate a secure secret key.
 
-# Make sure your secret_token is kept private
+# Make sure your secret_token_key is kept private
 # if you're sharing your code publicly.
-<%= app_const %>.config.secret_token = '<%= app_secret %>'
+<%= app_const %>.config.secret_token_key = '<%= app_secret %>'
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index c4c1100f19..daf9dd3505 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -225,9 +225,9 @@ module ApplicationTests
       assert_equal Pathname.new(app_path).join("somewhere"), Rails.public_path
     end
 
-    test "config.secret_token is sent in env" do
+    test "config.secret_token_key is sent in env" do
       make_basic_app do |app|
-        app.config.secret_token = 'b3c631c314c0bbca50c1b2843150fe33'
+        app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
         app.config.session_store :disabled
       end
 
@@ -242,6 +242,26 @@ module ApplicationTests
       assert_equal 'b3c631c314c0bbca50c1b2843150fe33', last_response.body
     end
 
+    test "Use key_generator when secret_token_key is set" do
+      make_basic_app do |app|
+        app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
+        app.config.session_store :disabled
+      end
+
+      class ::OmgController < ActionController::Base
+        def index
+          cookies.signed[:some_key] = "some_value"
+          render text: cookies[:some_key]
+        end
+      end
+
+      get "/"
+
+      secret = app.key_generator.generate_key('signed cookie')
+      verifier = ActiveSupport::MessageVerifier.new(secret)
+      assert_equal 'some_value', verifier.verify(last_response.body)
+    end
+
     test "protect from forgery is the default in a new app" do
       make_basic_app
 
diff --git a/railties/test/application/url_generation_test.rb b/railties/test/application/url_generation_test.rb
index 2a48adae5c..fb83659b0c 100644
--- a/railties/test/application/url_generation_test.rb
+++ b/railties/test/application/url_generation_test.rb
@@ -14,7 +14,7 @@ module ApplicationTests
       require "action_controller/railtie"
 
       class MyApp < Rails::Application
-        config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+        config.secret_token_key = "3b7cd727ee24e8444053437c36cc66c4"
         config.session_store :cookie_store, key: "_myapp_session"
         config.active_support.deprecation = :log
         config.eager_load = false
diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb
index e59488f97d..2c92f2ded5 100644
--- a/railties/test/isolation/abstract_unit.rb
+++ b/railties/test/isolation/abstract_unit.rb
@@ -119,7 +119,7 @@ module TestHelpers
 
       add_to_config <<-RUBY
         config.eager_load = false
-        config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+        config.secret_token_key = "3b7cd727ee24e8444053437c36cc66c4"
         config.session_store :cookie_store, key: "_myapp_session"
         config.active_support.deprecation = :log
         config.action_controller.allow_forgery_protection = false
@@ -138,7 +138,7 @@ module TestHelpers
 
       app = Class.new(Rails::Application)
       app.config.eager_load = false
-      app.config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+      app.config.secret_token_key = "3b7cd727ee24e8444053437c36cc66c4"
       app.config.session_store :cookie_store, key: "_myapp_session"
       app.config.active_support.deprecation = :log