Merge PR #42538

actionmailbox/test/dummy/config/initializers/application_controller_renderer.rb

@@ -1,8 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# ActiveSupport::Reloader.to_prepare do
-#   ApplicationController.renderer.defaults.merge!(
-#     http_host: 'example.org',
-#     https: false
-#   )
-# end

actionmailbox/test/dummy/config/initializers/cookies_serializer.rb

@@ -1,5 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# Specify a serializer for the signed and encrypted cookie jars.
-# Valid options are :json, :marshal, and :hybrid.
-Rails.application.config.action_dispatch.cookies_serializer = :json

actiontext/test/dummy/config/initializers/application_controller_renderer.rb

@@ -1,8 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# ActiveSupport::Reloader.to_prepare do
-#   ApplicationController.renderer.defaults.merge!(
-#     http_host: 'example.org',
-#     https: false
-#   )
-# end

actiontext/test/dummy/config/initializers/cookies_serializer.rb

@@ -1,5 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# Specify a serializer for the signed and encrypted cookie jars.
-# Valid options are :json, :marshal, and :hybrid.
-Rails.application.config.action_dispatch.cookies_serializer = :json

activestorage/test/dummy/config/initializers/application_controller_renderer.rb

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-# Be sure to restart your server when you modify this file.
-
-# ApplicationController.renderer.defaults.merge!(
-#   http_host: 'example.org',
-#   https: false
-# )

activestorage/test/dummy/config/initializers/cookies_serializer.rb

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-
-# Be sure to restart your server when you modify this file.
-
-# Specify a serializer for the signed and encrypted cookie jars.
-# Valid options are :json, :marshal, and :hybrid.
-Rails.application.config.action_dispatch.cookies_serializer = :json

railties/CHANGELOG.md

@@ -1,3 +1,11 @@
+*   New and upgraded Rails apps no longer generate `config/initializers/application_controller_renderer.rb`
+    or `config/initializers/cookies_serializer.rb`
+
+    The default value for `cookies_serializer` (`:json`) has been moved to `config.load_defaults("7.0")`.
+    The new framework defaults file sets the serializer to `:marshal`.
+
+    *Alex Ghiculescu*
+
 *   New applications get a dependency on the new `debug` gem, replacing `byebug`.
 
     *Xavier Noria*

railties/lib/rails/application/configuration.rb

@@ -199,6 +199,7 @@ module Rails
 
           if respond_to?(:action_dispatch)
             action_dispatch.return_only_request_media_type_on_content_type = false
+            action_dispatch.cookies_serializer = :json
           end
 
           if respond_to?(:action_controller)

railties/lib/rails/generators/rails/app/app_generator.rb

@@ -117,7 +117,6 @@ module Rails
     end
 
     def config_when_updating
-      cookie_serializer_config_exist  = File.exist?("config/initializers/cookies_serializer.rb")
       action_cable_config_exist       = File.exist?("config/cable.yml")
       active_storage_config_exist     = File.exist?("config/storage.yml")
       rack_cors_config_exist          = File.exist?("config/initializers/cors.rb")
@@ -131,10 +130,6 @@ module Rails
 
       config
 
-      unless cookie_serializer_config_exist
-        gsub_file "config/initializers/cookies_serializer.rb", /json(?!,)/, "marshal"
-      end
-
       if !options[:skip_action_cable] && !action_cable_config_exist
         template "config/cable.yml"
       end
@@ -160,10 +155,6 @@ module Rails
       end
 
       if options[:api]
-        unless cookie_serializer_config_exist
-          remove_file "config/initializers/cookies_serializer.rb"
-        end
-
         unless csp_config_exist
           remove_file "config/initializers/content_security_policy.rb"
         end
@@ -487,7 +478,6 @@ module Rails
 
       def delete_non_api_initializers_if_api_option
         if options[:api]
-          remove_file "config/initializers/cookies_serializer.rb"
           remove_file "config/initializers/content_security_policy.rb"
           remove_file "config/initializers/permissions_policy.rb"
         end

railties/lib/rails/generators/rails/app/templates/config/initializers/application_controller_renderer.rb.tt

@@ -1,8 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# ActiveSupport::Reloader.to_prepare do
-#   ApplicationController.renderer.defaults.merge!(
-#     http_host: "example.org",
-#     https: false
-#   )
-# end

railties/lib/rails/generators/rails/app/templates/config/initializers/cookies_serializer.rb.tt

@@ -1,5 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# Specify a serializer for the signed and encrypted cookie jars.
-# Valid options are :json, :marshal, and :hybrid.
-Rails.application.config.action_dispatch.cookies_serializer = :json

railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_7_0.rb.tt

@@ -7,6 +7,7 @@
 # this file and set the `config.load_defaults` to `7.0`.
 #
 # Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
 
 # Raise an error when trying to use forgery protection without a working
 # session.
@@ -70,3 +71,15 @@
 # operations. See the upgrading guide for detail on the changes required.
 # The `:mini_magick` option is not deprecated; it's fine to keep using it.
 # Rails.application.config.active_storage.variant_processor = :vips
+
+# If you're upgrading and haven't set `cookies_serializer` previously, your cookie serializer
+# was `:marshal`. Convert all cookies to JSON, using the `:hybrid` formatter.
+#
+# If you're confident all your cookies are JSON formatted, you can switch to the `:json` formatter.
+#
+# Continue to use `:marshal` for backward-compatibility with old cookies.
+#
+# If you have configured the serializer elsewhere, you can remove this.
+#
+# See https://guides.rubyonrails.org/action_controller_overview.html#cookies for more information.
+# Rails.application.config.action_dispatch.cookies_serializer = :hybrid

railties/test/application/middleware/cookies_test.rb

@@ -94,6 +94,7 @@ module ApplicationTests
 
         config.action_dispatch.signed_cookie_digest = "SHA512"
         config.action_dispatch.signed_cookie_salt = "sha512 salt"
+        config.action_dispatch.cookies_serializer = :marshal
 
         config.action_dispatch.cookies_rotations.tap do |cookies|
           cookies.rotate :signed, sha1_secret,   digest: "SHA1"
@@ -164,6 +165,7 @@ module ApplicationTests
         config.action_dispatch.use_authenticated_cookie_encryption = true
         config.action_dispatch.encrypted_cookie_cipher = "aes-256-gcm"
         config.action_dispatch.authenticated_encrypted_cookie_salt = "salt"
+        config.action_dispatch.cookies_serializer = :marshal
 
         config.action_dispatch.cookies_rotations.tap do |cookies|
           cookies.rotate :encrypted, first_secret

railties/test/application/middleware/session_test.rb

@@ -167,6 +167,8 @@ module ApplicationTests
       add_to_config <<-RUBY
         # Enable AEAD cookies
         config.action_dispatch.use_authenticated_cookie_encryption = true
+
+        config.action_dispatch.cookies_serializer = :marshal
       RUBY
 
       require "#{app_path}/config/environment"
@@ -217,6 +219,7 @@ module ApplicationTests
       add_to_config <<-RUBY
         # Enable AEAD cookies
         config.action_dispatch.use_authenticated_cookie_encryption = true
+        config.action_dispatch.cookies_serializer = :marshal
       RUBY
 
       require "#{app_path}/config/environment"
@@ -280,6 +283,8 @@ module ApplicationTests
 
         # Use SHA1 key derivation
         config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA1
+
+        config.action_dispatch.cookies_serializer = :marshal
       RUBY
 
       begin

railties/test/generators/api_app_generator_test.rb

@@ -93,7 +93,6 @@ class ApiAppGeneratorTest < Rails::Generators::TestCase
       { api: true, update: true }, { destination_root: destination_root, shell: @shell }
     quietly { generator.update_config_files }
 
-    assert_no_file "config/initializers/cookies_serializer.rb"
     assert_no_file "config/initializers/assets.rb"
     assert_no_file "config/initializers/content_security_policy.rb"
     assert_no_file "config/initializers/permissions_policy.rb"
@@ -134,7 +133,6 @@ class ApiAppGeneratorTest < Rails::Generators::TestCase
         config/environments/production.rb
         config/environments/test.rb
         config/initializers
-        config/initializers/application_controller_renderer.rb
         config/initializers/backtrace_silencers.rb
         config/initializers/cors.rb
         config/initializers/filter_parameter_logging.rb
@@ -167,7 +165,6 @@ class ApiAppGeneratorTest < Rails::Generators::TestCase
          app/views/layouts/application.html.erb
          bin/yarn
          config/initializers/assets.rb
-         config/initializers/cookies_serializer.rb
          config/initializers/content_security_policy.rb
          config/initializers/permissions_policy.rb
          lib/assets

railties/test/generators/app_generator_test.rb

@@ -46,10 +46,8 @@ DEFAULT_APP_FILES = %w(
   config/environments/production.rb
   config/environments/test.rb
   config/initializers
-  config/initializers/application_controller_renderer.rb
   config/initializers/assets.rb
   config/initializers/backtrace_silencers.rb
-  config/initializers/cookies_serializer.rb
   config/initializers/content_security_policy.rb
   config/initializers/filter_parameter_logging.rb
   config/initializers/inflections.rb
@@ -177,12 +175,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
     end
   end
 
-  def test_new_application_use_json_serializer
-    run_generator
-
-    assert_file("config/initializers/cookies_serializer.rb", /Rails\.application\.config\.action_dispatch\.cookies_serializer = :json/)
-  end
-
   def test_new_application_not_include_api_initializers
     run_generator
 
@@ -200,33 +192,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
     assert_file "#{app_root}/config/application.rb", /\s+config\.load_defaults #{Rails::VERSION::STRING.to_f}/
   end
 
-  def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured
-    app_root = File.join(destination_root, "myapp")
-    run_generator [app_root]
-
-    stub_rails_application(app_root) do
-      generator = Rails::Generators::AppGenerator.new ["rails"], [], destination_root: app_root, shell: @shell
-      generator.send(:app_const)
-      quietly { generator.update_config_files }
-      assert_file("#{app_root}/config/initializers/cookies_serializer.rb", /Rails\.application\.config\.action_dispatch\.cookies_serializer = :json/)
-    end
-  end
-
-  def test_app_update_set_the_cookie_serializer_to_marshal_if_it_is_not_already_configured
-    app_root = File.join(destination_root, "myapp")
-    run_generator [app_root]
-
-    FileUtils.rm("#{app_root}/config/initializers/cookies_serializer.rb")
-
-    stub_rails_application(app_root) do
-      generator = Rails::Generators::AppGenerator.new ["rails"], [], destination_root: app_root, shell: @shell
-      generator.send(:app_const)
-      quietly { generator.update_config_files }
-      assert_file("#{app_root}/config/initializers/cookies_serializer.rb",
-                  /Valid options are :json, :marshal, and :hybrid\.\nRails\.application\.config\.action_dispatch\.cookies_serializer = :marshal/)
-    end
-  end
-
   def test_app_update_create_new_framework_defaults
     app_root = File.join(destination_root, "myapp")
     run_generator [app_root]