From db5f1a46f26ed2b8359d3dde3398dd1a8ca443d4 Mon Sep 17 00:00:00 2001
From: Benjamin Fleischer <github@benjaminfleischer.com>
Date: Mon, 27 Oct 2014 12:04:37 -0500
Subject: `secret_token` is now saved in
 `Rails.application.secrets.secret_token`

- `secrets.secret_token` is now used in all places `config.secret_token` was
  - `secrets.secret_token`, when not present in `config/secrets.yml`,
    now falls back to the value of `config.secret_token`
  - when `secrets.secret_token` is set, it over-writes
    `config.secret_token` so they are the same (for backwards-compatibility)
  - Update docs to reference app.secrets in all places
    - Remove references to `config.secret_token`, `config.secret_key_base`
- Warn that missing secret_key_base is deprecated
- Add tests for secret_token, key_generator, and message_verifier
  - the legacy key generator is used with the message verifier when
    secrets.secret_key_base is blank and secret_token is set
  - app.key_generator raises when neither secrets.secret_key_base nor
    secret_token are set
  - app.env_config    raises when neither secrets.secret_key_base nor
    secret_token are set
- Add changelog

Run focused tests via
ruby -w -Itest test/application/configuration_test.rb -n '/secret_|key_/'
---
 railties/lib/rails/application.rb | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'railties/lib/rails')

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index bc966e87c6..78b8a90432 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -175,7 +175,7 @@ module Rails
           key_generator = ActiveSupport::KeyGenerator.new(secrets.secret_key_base, iterations: 1000)
           ActiveSupport::CachingKeyGenerator.new(key_generator)
         else
-          ActiveSupport::LegacyKeyGenerator.new(config.secret_token)
+          ActiveSupport::LegacyKeyGenerator.new(secrets.secret_token)
         end
     end
 
@@ -245,7 +245,7 @@ module Rails
         super.merge({
           "action_dispatch.parameter_filter" => config.filter_parameters,
           "action_dispatch.redirect_filter" => config.filter_redirect,
-          "action_dispatch.secret_token" => config.secret_token,
+          "action_dispatch.secret_token" => secrets.secret_token,
           "action_dispatch.secret_key_base" => secrets.secret_key_base,
           "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
           "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
@@ -378,6 +378,13 @@ module Rails
 
         # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
         secrets.secret_key_base ||= config.secret_key_base
+        # Sync secrets.secret_token with config.secret_token, preferring secrets.secret_token
+        # note that unset config's default to "", secrets default to nil
+        if secrets.secret_token.blank? && config.secret_token.present?
+          secrets.secret_token = config.secret_token
+        elsif secrets.secret_token.present?
+          config.secret_token = secrets.secret_token
+        end
 
         secrets
       end
@@ -507,8 +514,13 @@ module Rails
     end
 
     def validate_secret_key_config! #:nodoc:
-      if secrets.secret_key_base.blank? && config.secret_token.blank?
-        raise "Missing `secret_key_base` for '#{Rails.env}' environment, set this value in `config/secrets.yml`"
+      if secrets.secret_key_base.blank?
+        ActiveSupport::Deprecation.warn "You didn't set `secret_key_base`. " +
+          "Read the upgrade documentation to learn more about this new config option."
+
+        if secrets.secret_token.blank?
+          raise "Missing `secret_token` and `secret_key_base` for '#{Rails.env}' environment, set these values in `config/secrets.yml`"
+        end
       end
     end
   end
-- 
cgit v1.2.3


From 1d1239d32856b32b19c04edd17d0dd0d47611586 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafael.franca@plataformatec.com.br>
Date: Mon, 10 Nov 2014 21:18:57 -0200
Subject: No need to sync config.secret_token and secrets.secret_token

Just prefer secrets over config
---
 railties/lib/rails/application.rb | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

(limited to 'railties/lib/rails')

diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index ae60337af2..f8bd6096f2 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -381,13 +381,8 @@ module Rails
 
         # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
         secrets.secret_key_base ||= config.secret_key_base
-        # Sync secrets.secret_token with config.secret_token, preferring secrets.secret_token
-        # note that unset config's default to "", secrets default to nil
-        if secrets.secret_token.blank? && config.secret_token.present?
-          secrets.secret_token = config.secret_token
-        elsif secrets.secret_token.present?
-          config.secret_token = secrets.secret_token
-        end
+        # Fallback to config.secret_token if secrets.secret_token isn't set
+        secrets.secret_token ||= config.secret_token
 
         secrets
       end
-- 
cgit v1.2.3