Merge pull request rails#51337 from fatkodima/secret_key_base-deprecation-in-development

Show warning for `secret_key_base` in development too

Author: rafaelfranca

railties/lib/rails/application.rb

@@ -476,27 +476,30 @@ def secrets
     # then +credentials.secret_key_base+, and finally +secrets.secret_key_base+. For most applications,
     # the correct place to store it is in the encrypted credentials file.
     def secret_key_base
-      if Rails.env.local? || ENV["SECRET_KEY_BASE_DUMMY"]
-        config.secret_key_base ||= generate_local_secret
-      else
-        validate_secret_key_base(
-          ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || begin
-            secret_skb = secrets_secret_key_base
-
-            if secret_skb.equal?(config.secret_key_base)
-              config.secret_key_base
-            else
-              Rails.deprecator.warn(<<~MSG.squish)
-                Your `secret_key_base` is configured in `Rails.application.secrets`,
-                which is deprecated in favor of `Rails.application.credentials` and
-                will be removed in Rails 7.2.
-              MSG
-
-              secret_skb
+      config.secret_key_base ||=
+        if ENV["SECRET_KEY_BASE_DUMMY"]
+          generate_local_secret
+        else
+          validate_secret_key_base(
+            ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || begin
+              secret_skb = secrets_secret_key_base
+
+              if secret_skb && secret_skb.equal?(config.secret_key_base)
+                config.secret_key_base
+              elsif secret_skb
+                Rails.deprecator.warn(<<~MSG.squish)
+                  Your `secret_key_base` is configured in `Rails.application.secrets`,
+                  which is deprecated in favor of `Rails.application.credentials` and
+                  will be removed in Rails 7.2.
+                MSG
+
+                secret_skb
+              elsif Rails.env.local?
+                generate_local_secret
+              end
             end
-          end
-        )
-      end
+          )
+        end
     end
 
     # Returns an ActiveSupport::EncryptedConfiguration instance for the

railties/test/application/configuration_test.rb

@@ -930,6 +930,7 @@ def index
     end
 
     test "secrets.secret_key_base is used when config/secrets.yml is present" do
+      remove_file "config/credentials.yml.enc"
       app_file "config/secrets.yml", <<-YAML
         development:
           secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
@@ -966,6 +967,20 @@ def index
       end
     end
 
+    test "config.secret_key_base leads to a deprecation in development when config/secrets.yml is present" do
+      remove_file "config/credentials.yml.enc"
+      app_file "config/secrets.yml", <<-YAML
+        development:
+          secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
+      YAML
+
+      app "development"
+      assert_deprecated(Rails.deprecator) do
+        assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secrets.secret_key_base
+      end
+      assert_equal "3b7cd727ee24e8444053437c36cc66c3", app.secret_key_base
+    end
+
     test "custom secrets saved in config/secrets.yml are loaded in app secrets" do
       app_file "config/secrets.yml", <<-YAML
         development: