Rename secret_token_key to secret_key_base

actionpack/lib/action_dispatch/middleware/cookies.rb

@@ -28,7 +28,7 @@ module ActionDispatch
   #   cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now }
   #
   #   # Sets a signed cookie, which prevents users from tampering with its value.
-  #   # The cookie is signed by your app's <tt>config.secret_token_key</tt> value.
+  #   # The cookie is signed by your app's <tt>config.secret_key_base</tt> value.
   #   # It can be read using the signed method <tt>cookies.signed[:key]</tt>
   #   cookies.signed[:user_id] = current_user.id
   #
@@ -239,7 +239,7 @@ module ActionDispatch
       # cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will
       # be raised.
       #
-      # This jar requires that you set a suitable secret for the verification on your app's +config.secret_token_key+.
+      # This jar requires that you set a suitable secret for the verification on your app's +config.secret_key_base+.
       #
       # Example:
       #
@@ -255,7 +255,7 @@ module ActionDispatch
       # If the cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception
       # will be raised.
       #
-      # This jar requires that you set a suitable secret for the verification on your app's +config.secret_token_key+.
+      # This jar requires that you set a suitable secret for the verification on your app's +config.secret_key_base+.
       #
       # Example:
       #

activesupport/lib/active_support/key_generator.rb

@@ -55,7 +55,7 @@ module ActiveSupport
       if secret.blank?
         raise ArgumentError, "A secret is required to generate an " +
           "integrity hash for cookie session data. Use " +
-          "config.secret_token_key = \"some secret phrase of at " +
+          "config.secret_key_base = \"some secret phrase of at " +
           "least #{SECRET_MIN_LENGTH} characters\"" +
           "in config/initializers/secret_token.rb"
       end

guides/code/getting_started/config/initializers/secret_token.rb

@@ -6,4 +6,4 @@
 # no regular words or you'll be exposed to dictionary attacks.
 # Make sure your secret key is kept private
 # if you're sharing your code publicly.
-Blog::Application.config.secret_token_key = '685a9bf865b728c6549a191c90851c1b5ec41ecb60b9e94ad79dd3f824749798aa7b5e94431901960bee57809db0947b481570f7f13376b7ca190fa28099c459'
+Blog::Application.config.secret_key_base = '685a9bf865b728c6549a191c90851c1b5ec41ecb60b9e94ad79dd3f824749798aa7b5e94431901960bee57809db0947b481570f7f13376b7ca190fa28099c459'

guides/source/action_controller_overview.md

@@ -219,7 +219,7 @@ Rails sets up (for the CookieStore) a secret key used for signing the session da
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-YourApp::Application.config.secret_token_key = '49d3f3de9ed86c74b94ad6bd0...'
+YourApp::Application.config.secret_key_base = '49d3f3de9ed86c74b94ad6bd0...'
 ```
 
 NOTE: Changing the secret when using the `CookieStore` will invalidate all existing sessions.

guides/source/configuring.md

@@ -113,7 +113,7 @@ These configuration methods are to be called on a `Rails::Railtie` object, such
 
 * `config.reload_classes_only_on_change` enables or disables reloading of classes only when tracked files change. By default tracks everything on autoload paths and is set to true. If `config.cache_classes` is true, this option is ignored.
 
-* `config.secret_token_key` used for specifying a key which allows sessions for the application to be verified against a known secure key to prevent tampering. Applications get `config.secret_token_key` initialized to a random key in `config/initializers/secret_token.rb`.
+* `config.secret_key_base` used for specifying a key which allows sessions for the application to be verified against a known secure key to prevent tampering. Applications get `config.secret_key_base` initialized to a random key in `config/initializers/secret_token.rb`.
 
 * `config.serve_static_assets` configures Rails itself to serve static assets. Defaults to true, but in the production environment is turned off as the server software (e.g. Nginx or Apache) used to run the application should serve static assets instead. Unlike the default setting set this to true when running (absolutely not recommended!) or testing your app in production mode using WEBrick. Otherwise you won´t be able use page caching and requests for files that exist regularly under the public directory will anyway hit your Rails app.
 

railties/lib/rails/application.rb

@@ -109,8 +109,8 @@ module Rails
       # number of iterations selected based on consultation with the google security
       # team. Details at https://github.com/rails/rails/pull/6952#issuecomment-7661220
       @caching_key_generator ||= begin
-        if config.secret_token_key
-          key_generator = ActiveSupport::KeyGenerator.new(config.secret_token_key, iterations: 1000)
+        if config.secret_key_base
+          key_generator = ActiveSupport::KeyGenerator.new(config.secret_key_base, iterations: 1000)
           ActiveSupport::CachingKeyGenerator.new(key_generator)
         else
           ActiveSupport::DummyKeyGenerator.new(config.secret_token)
@@ -137,12 +137,12 @@ module Rails
     #
     def env_config
       @env_config ||= begin
-        if config.secret_token_key.nil?
-          ActiveSupport::Deprecation.warn "You didn't set config.secret_token_key. " +
+        if config.secret_key_base.nil?
+          ActiveSupport::Deprecation.warn "You didn't set config.secret_key_base. " +
             "This should be used instead of the old deprecated config.secret_token. " +
-            "Set config.secret_token_key instead of config.secret_token in config/initializers/secret_token.rb"
+            "Set config.secret_key_base instead of config.secret_token in config/initializers/secret_token.rb"
           if config.secret_token.blank?
-            raise "You must set config.secret_token_key in your app's config"
+            raise "You must set config.secret_key_base in your app's config"
           end
         end
 

railties/lib/rails/application/configuration.rb

@@ -10,7 +10,7 @@ module Rails
                     :cache_classes, :cache_store, :consider_all_requests_local, :console,
                     :eager_load, :exceptions_app, :file_watcher, :filter_parameters,
                     :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags,
-                    :railties_order, :relative_url_root, :secret_token, :secret_token_key,
+                    :railties_order, :relative_url_root, :secret_key_base, :secret_token,
                     :serve_static_assets, :ssl_options, :static_cache_control, :session_options,
                     :time_zone, :reload_classes_only_on_change,
                     :queue, :queue_consumer, :beginning_of_week
@@ -47,7 +47,7 @@ module Rails
         @queue_consumer                = nil
         @eager_load                    = nil
         @secret_token                  = nil
-        @secret_token_key              = nil
+        @secret_key_base               = nil
 
         @assets = ActiveSupport::OrderedOptions.new
         @assets.enabled                  = false

railties/lib/rails/generators/rails/app/templates/config/initializers/secret_token.rb.tt

@@ -7,6 +7,6 @@
 # no regular words or you'll be exposed to dictionary attacks.
 # You can use `rake secret` to generate a secure secret key.
 
-# Make sure your secret_token_key is kept private
+# Make sure your secret_key_base is kept private
 # if you're sharing your code publicly.
-<%= app_const %>.config.secret_token_key = '<%= app_secret %>'
+<%= app_const %>.config.secret_key_base = '<%= app_secret %>'

railties/test/abstract_unit.rb

@@ -14,6 +14,6 @@ require 'rails/all'
 module TestApp
   class Application < Rails::Application
     config.root = File.dirname(__FILE__)
-    config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
+    config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
   end
 end

railties/test/application/configuration_test.rb

@@ -225,9 +225,9 @@ module ApplicationTests
       assert_equal Pathname.new(app_path).join("somewhere"), Rails.public_path
     end
 
-    test "Use key_generator when secret_token_key is set" do
+    test "Use key_generator when secret_key_base is set" do
       make_basic_app do |app|
-        app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
+        app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
         app.config.session_store :disabled
       end
 

railties/test/application/url_generation_test.rb

@@ -14,7 +14,7 @@ module ApplicationTests
       require "action_controller/railtie"
 
       class MyApp < Rails::Application
-        config.secret_token_key = "3b7cd727ee24e8444053437c36cc66c4"
+        config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
         config.session_store :cookie_store, key: "_myapp_session"
         config.active_support.deprecation = :log
         config.eager_load = false

railties/test/isolation/abstract_unit.rb

@@ -119,7 +119,7 @@ module TestHelpers
 
       add_to_config <<-RUBY
         config.eager_load = false
-        config.secret_token_key = "3b7cd727ee24e8444053437c36cc66c4"
+        config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
         config.session_store :cookie_store, key: "_myapp_session"
         config.active_support.deprecation = :log
         config.action_controller.allow_forgery_protection = false
@@ -138,7 +138,7 @@ module TestHelpers
 
       app = Class.new(Rails::Application)
       app.config.eager_load = false
-      app.config.secret_token_key = "3b7cd727ee24e8444053437c36cc66c4"
+      app.config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
       app.config.session_store :cookie_store, key: "_myapp_session"
       app.config.active_support.deprecation = :log