Prepare for 4.4.3 release

Create Devise::SecretKeyFinder
When supporting Rails 5.2 credentials on https://github.com/plataformatec/devise/pull/4712, we ended up breaking apps that were upgraded to Rails 5.2 and weren't using `credentials` to store their `secret_key_base`. See https://github.com/plataformatec/devise/issues/4807 for more context. To fix it, we're now checking whether the key is present before using it. Since there weren't any automated test for this - the conditionals were in a Rails engine initializer - I've extracted it to a new class so that we are able to test it easily. Fixes #4807
2026-01-10 16:18:04 -05:00 · 2018-03-17 20:44:00 -03:00 · 2018-03-17 20:28:38 -03:00 · 2018-03-16 11:17:48 -03:00
12 changed files with 143 additions and 20 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 ### Unreleased

+### 4.4.3 - 2018-03-17
+
+* bug fixes
+  * Fix undefined method `rails5?` for Devise::Test:Module (by @tegon)
+  * Fix: secret key was being required to be set inside credentials on Rails 5.2 (by @tegon)
+
 ### 4.4.2 - 2018-03-15

 * enhancements
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -10,7 +10,7 @@ GIT
 PATH
  remote: .
  specs:
-    devise (4.4.2)
+    devise (4.4.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0, < 6.0)
@@ -190,4 +190,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.16.0
+   1.16.1
--- a/gemfiles/Gemfile.rails-4.1-stable.lock
+++ b/gemfiles/Gemfile.rails-4.1-stable.lock
@@ -21,7 +21,7 @@ GIT
 PATH
  remote: ..
  specs:
-    devise (4.4.2)
+    devise (4.4.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0, < 6.0)
@@ -168,4 +168,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.16.0
+   1.16.1
--- a/gemfiles/Gemfile.rails-4.2-stable.lock
+++ b/gemfiles/Gemfile.rails-4.2-stable.lock
@@ -57,7 +57,7 @@ GIT
 PATH
  remote: ..
  specs:
-    devise (4.4.2)
+    devise (4.4.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0, < 6.0)
@@ -189,4 +189,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.16.0
+   1.16.1
--- a/gemfiles/Gemfile.rails-5.0-stable.lock
+++ b/gemfiles/Gemfile.rails-5.0-stable.lock
@@ -10,7 +10,7 @@ GIT
 PATH
  remote: ..
  specs:
-    devise (4.4.2)
+    devise (4.4.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0, < 6.0)
@@ -189,4 +189,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.16.0
+   1.16.1
--- a/gemfiles/Gemfile.rails-5.2-rc1.lock
+++ b/gemfiles/Gemfile.rails-5.2-rc1.lock
@@ -10,10 +10,10 @@ GIT
 PATH
  remote: ..
  specs:
-    devise (4.4.1)
+    devise (4.4.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 6.0)
      responders
      warden (~> 1.2.3)

@@ -198,4 +198,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.16.0
+   1.16.1
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -18,6 +18,7 @@ module Devise
  autoload :TestHelpers,        'devise/test_helpers'
  autoload :TimeInflector,      'devise/time_inflector'
  autoload :TokenGenerator,     'devise/token_generator'
+  autoload :SecretKeyFinder,    'devise/secret_key_finder'

  module Controllers
    autoload :Helpers,        'devise/controllers/helpers'
--- a/lib/devise/rails.rb
+++ b/lib/devise/rails.rb
@@ -34,13 +34,7 @@ module Devise
    end

    initializer "devise.secret_key" do |app|
-      if app.respond_to?(:credentials)
-        Devise.secret_key ||= app.credentials.secret_key_base
-      elsif app.respond_to?(:secrets)
-        Devise.secret_key ||= app.secrets.secret_key_base
-      elsif app.config.respond_to?(:secret_key_base)
-        Devise.secret_key ||= app.config.secret_key_base
-      end
+      Devise.secret_key ||= Devise::SecretKeyFinder.new(app).find

      Devise.token_generator ||=
        if secret_key = Devise.secret_key
--- a/lib/devise/secret_key_finder.rb
+++ b/lib/devise/secret_key_finder.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecretKeyFinder
+    def initialize(application)
+      @application = application
+    end
+
+    def find
+      if @application.respond_to?(:credentials) && key_exists?(@application.credentials)
+        @application.credentials.secret_key_base
+      elsif @application.respond_to?(:secrets) && key_exists?(@application.secrets)
+        @application.secrets.secret_key_base
+      elsif @application.config.respond_to?(:secret_key_base) && key_exists?(@application.config)
+        @application.config.secret_key_base
+      end
+    end
+
+    private
+
+    def key_exists?(object)
+      object.secret_key_base.present?
+    end
+  end
+end
--- a/lib/devise/test/controller_helpers.rb
+++ b/lib/devise/test/controller_helpers.rb
@@ -139,7 +139,7 @@ module Devise

          status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
          @controller.response.headers.merge!(headers)
-          @controller.response.content_type = headers["Content-Type"] unless Devise::Test.rails5?
+          @controller.response.content_type = headers["Content-Type"] unless Rails.version.start_with?('5')
          @controller.status = status
          @controller.response.body = response.body
          nil # causes process return @response
--- a/lib/devise/version.rb
+++ b/lib/devise/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true

 module Devise
-  VERSION = "4.4.2".freeze
+  VERSION = "4.4.3".freeze
 end
--- a/test/secret_key_finder_test.rb
+++ b/test/secret_key_finder_test.rb
@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Rails52Credentials
+  def credentials
+    OpenStruct.new(secret_key_base: 'credentials')
+  end
+end
+
+class Rails52Secrets
+  def credentials
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def secrets
+    OpenStruct.new(secret_key_base: 'secrets')
+  end
+end
+
+class Rails52Config
+  def credentials
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def secrets
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def config
+    OpenStruct.new(secret_key_base: 'config')
+  end
+end
+
+class Rails41Secrets
+  def secrets
+    OpenStruct.new(secret_key_base: 'secrets')
+  end
+
+  def config
+    OpenStruct.new(secret_key_base: nil)
+  end
+end
+
+class Rails41Config
+  def secrets
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def config
+    OpenStruct.new(secret_key_base: 'config')
+  end
+end
+
+class Rails40Config
+  def config
+    OpenStruct.new(secret_key_base: 'config')
+  end
+end
+
+class SecretKeyFinderTest < ActiveSupport::TestCase
+  test "rails 5.2 uses credentials when they're available" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails52Credentials.new)
+
+    assert_equal 'credentials', secret_key_finder.find
+  end
+
+  test "rails 5.2 uses secrets when credentials are empty" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails52Secrets.new)
+
+    assert_equal 'secrets', secret_key_finder.find
+  end
+
+  test "rails 5.2 uses config when secrets are empty" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails52Config.new)
+
+    assert_equal 'config', secret_key_finder.find
+  end
+
+  test "rails 4.1 uses secrets" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails41Secrets.new)
+
+    assert_equal 'secrets', secret_key_finder.find
+  end
+
+  test "rails 4.1 uses config when secrets are empty" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails41Config.new)
+
+    assert_equal 'config', secret_key_finder.find
+  end
+
+  test "rails 4.0 uses config" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails40Config.new)
+
+    assert_equal 'config', secret_key_finder.find
+  end
+end