Shopify
diff --git a/‎activerecord/CHANGELOG.md
Lines changed: 80 additions & 0 deletions b/‎activerecord/CHANGELOG.md
Lines changed: 80 additions & 0 deletions
diff --git a/‎activerecord/lib/active_record.rb
Lines changed: 7 additions & 0 deletions b/‎activerecord/lib/active_record.rb
Lines changed: 7 additions & 0 deletions
diff --git a/‎activerecord/lib/active_record/railtie.rb
Lines changed: 14 additions & 3 deletions b/‎activerecord/lib/active_record/railtie.rb
Lines changed: 14 additions & 3 deletions
diff --git a/‎activerecord/lib/active_record/signed_id.rb
Lines changed: 37 additions & 11 deletions b/‎activerecord/lib/active_record/signed_id.rb
Lines changed: 37 additions & 11 deletions
@@ -1,3 +1,83 @@
+*   Allow signed ID verifiers to be configurable via `Rails.application.message_verifiers`
+
+    Prior to this change, the primary way to configure signed ID verifiers was
+    to set `signed_id_verifier` on each model class:
+
+      ```ruby
+      Post.signed_id_verifier = ActiveSupport::MessageVerifier.new(...)
+      Comment.signed_id_verifier = ActiveSupport::MessageVerifier.new(...)
+      ```
+
+    And if the developer did not set `signed_id_verifier`, a verifier would be
+    instantiated with a secret derived from `secret_key_base` and the following
+    options:
+
+      ```ruby
+      { digest: "SHA256", serializer: JSON, url_safe: true }
+      ```
+
+    Thus it was cumbersome to rotate configuration for all verifiers.
+
+    This change defines a new Rails config: [`config.active_record.use_legacy_signed_id_verifier`][].
+    The default value is `:generate_and_verify`, which preserves the previous
+    behavior. However, when set to `:verify`, signed ID verifiers will use
+    configuration from `Rails.application.message_verifiers` (specifically,
+    `Rails.application.message_verifiers["active_record/signed_id"]`) to
+    generate and verify signed IDs, but will also verify signed IDs using the
+    older configuration.
+
+    To avoid complication, the new behavior only applies when `signed_id_verifier_secret`
+    is not set on a model class or any of its ancestors. Additionally,
+    `signed_id_verifier_secret` is now deprecated. If you are currently setting
+    `signed_id_verifier_secret` on a model class, you can set `signed_id_verifier`
+    instead:
+
+      ```ruby
+      # BEFORE
+      Post.signed_id_verifier_secret = "my secret"
+
+      # AFTER
+      Post.signed_id_verifier = ActiveSupport::MessageVerifier.new("my secret", digest: "SHA256", serializer: JSON, url_safe: true)
+      ```
+
+    To ease migration, `signed_id_verifier` has also been changed to behave as a
+    `class_attribute` (i.e. inheritable), but _only when `signed_id_verifier_secret`
+    is not set_:
+
+      ```ruby
+      # BEFORE
+      ActiveRecord::Base.signed_id_verifier = ActiveSupport::MessageVerifier.new(...)
+      Post.signed_id_verifier == ActiveRecord::Base.signed_id_verifier # => false
+
+      # AFTER
+      ActiveRecord::Base.signed_id_verifier = ActiveSupport::MessageVerifier.new(...)
+      Post.signed_id_verifier == ActiveRecord::Base.signed_id_verifier # => true
+
+      Post.signed_id_verifier_secret = "my secret" # => deprecation warning
+      Post.signed_id_verifier == ActiveRecord::Base.signed_id_verifier # => false
+      ```
+
+    Note, however, that it is recommended to eventually migrate from
+    model-specific verifiers to a unified configuration managed by
+    `Rails.application.message_verifiers`. `ActiveSupport::MessageVerifier#rotate`
+    can facilitate that transition. For example:
+
+      ```ruby
+      # BEFORE
+      # Generate and verify signed Post IDs using Post-specific configuration
+      Post.signed_id_verifier = ActiveSupport::MessageVerifier.new("post secret", ...)
+
+      # AFTER
+      # Generate and verify signed Post IDs using the unified configuration
+      Post.signed_id_verifier = Post.signed_id_verifier.dup
+      # Fall back to Post-specific configuration when verifying signed IDs
+      Post.signed_id_verifier.rotate("post secret", ...)
+      ```
+
+    [`config.active_record.use_legacy_signed_id_verifier`]: https://guides.rubyonrails.org/v8.1/configuring.html#config-active-record-use-legacy-signed-id-verifier
+
+    *Ali Sepehri*, *Jonathan Hefner*
+
 *   Prepend `extra_flags` in postgres' `structure_load`
 
     When specifying `structure_load_flags` with a postgres adapter, the flags
 
@@ -506,6 +506,13 @@ def self.marshalling_format_version=(value)
     }
   )
 
+  ##
+  # :singleton-method: message_verifiers
+  #
+  # ActiveSupport::MessageVerifiers instance for Active Record. If you are using
+  # Rails, this will be set to +Rails.application.message_verifiers+.
+  singleton_class.attr_accessor :message_verifiers
+
   def self.eager_load!
     super
     ActiveRecord::Locking.eager_load!
 
@@ -38,6 +38,7 @@ class Railtie < Rails::Railtie # :nodoc:
     config.active_record.raise_on_assign_to_attr_readonly = false
     config.active_record.belongs_to_required_validates_foreign_key = true
     config.active_record.generate_secure_token_on = :create
+    config.active_record.use_legacy_signed_id_verifier = :generate_and_verify
 
     config.active_record.queues = ActiveSupport::InheritableOptions.new
 
@@ -233,6 +234,7 @@ class Railtie < Rails::Railtie # :nodoc:
           :check_schema_cache_dump_version,
           :use_schema_cache_dump,
           :postgresql_adapter_decode_dates,
+          :use_legacy_signed_id_verifier,
         )
 
         configs_used_in_other_initializers.each do |k, v|
@@ -319,9 +321,18 @@ class Railtie < Rails::Railtie # :nodoc:
       end
     end
 
-    initializer "active_record.set_signed_id_verifier_secret" do
-      ActiveSupport.on_load(:active_record) do
-        self.signed_id_verifier_secret ||= -> { Rails.application.key_generator.generate_key("active_record/signed_id") }
+    initializer "active_record.configure_message_verifiers" do |app|
+      ActiveRecord.message_verifiers = app.message_verifiers
+
+      use_legacy_signed_id_verifier = app.config.active_record.use_legacy_signed_id_verifier
+      legacy_options = { digest: "SHA256", serializer: JSON, url_safe: true }
+
+      if use_legacy_signed_id_verifier == :generate_and_verify
+        app.message_verifiers.prepend { |salt| legacy_options if salt == "active_record/signed_id" }
+      elsif use_legacy_signed_id_verifier == :verify
+        app.message_verifiers.rotate { |salt| legacy_options if salt == "active_record/signed_id" }
+      elsif use_legacy_signed_id_verifier
+        raise ArgumentError, "Unrecognized value for config.active_record.use_legacy_signed_id_verifier: #{use_legacy_signed_id_verifier.inspect}"
       end
     end
 
 
@@ -6,11 +6,27 @@ module SignedId
     extend ActiveSupport::Concern
 
     included do
+      class_attribute :_signed_id_verifier, instance_accessor: false, instance_predicate: false
+
       ##
       # :singleton-method:
       # Set the secret used for the signed id verifier instance when using Active Record outside of \Rails.
       # Within \Rails, this is automatically set using the \Rails application key generator.
       class_attribute :signed_id_verifier_secret, instance_writer: false
+      module DeprecateSignedIdVerifierSecret
+        def signed_id_verifier_secret=(secret)
+          ActiveRecord.deprecator.warn(<<~MSG)
+            ActiveRecord::Base.signed_id_verifier_secret is deprecated and will be removed in the future.
+
+            If the secret is model-specific, set Model.signed_id_verifier instead.
+
+            Otherwise, configure Rails.application.message_verifiers (or ActiveRecord.message_verifiers) with the secret.
+          MSG
+
+          super
+        end
+      end
+      singleton_class.prepend DeprecateSignedIdVerifierSecret
     end
 
     module RelationMethods # :nodoc:
@@ -77,28 +93,38 @@ def find_signed!(signed_id, purpose: nil, on_rotation: nil)
         end
       end
 
-      # The verifier instance that all signed ids are generated and verified from. By default, it'll be initialized
-      # with the class-level +signed_id_verifier_secret+, which within Rails comes from
-      # {Rails.application.key_generator}[rdoc-ref:Rails::Application#key_generator].
-      # By default, it's SHA256 for the digest and JSON for the serialization.
       def signed_id_verifier
-        @signed_id_verifier ||= begin
-          secret = signed_id_verifier_secret
-          secret = secret.call if secret.respond_to?(:call)
+        if signed_id_verifier_secret
+          @signed_id_verifier ||= begin
+            secret = signed_id_verifier_secret
+            secret = secret.call if secret.respond_to?(:call)
+
+            if secret.nil?
+              raise ArgumentError, "You must set ActiveRecord::Base.signed_id_verifier_secret to use signed IDs"
+            end
 
-          if secret.nil?
-            raise ArgumentError, "You must set ActiveRecord::Base.signed_id_verifier_secret to use signed ids"
-          else
             ActiveSupport::MessageVerifier.new secret, digest: "SHA256", serializer: JSON, url_safe: true
           end
+        else
+          return _signed_id_verifier if _signed_id_verifier
+
+          if ActiveRecord.message_verifiers.nil?
+            raise "You must set ActiveRecord.message_verifiers to use signed IDs"
+          end
+
+          ActiveRecord.message_verifiers["active_record/signed_id"]
         end
       end
 
       # Allows you to pass in a custom verifier used for the signed ids. This also allows you to use different
       # verifiers for different classes. This is also helpful if you need to rotate keys, as you can prepare
       # your custom verifier for that in advance. See ActiveSupport::MessageVerifier for details.
       def signed_id_verifier=(verifier)
-        @signed_id_verifier = verifier
+        if signed_id_verifier_secret
+          @signed_id_verifier = verifier
+        else
+          self._signed_id_verifier = verifier
+        end
       end
 
       # :nodoc:
Original file line number	Diff line number	Diff line change
`@@ -506,6 +506,13 @@ def self.marshalling_format_version=(value)`
`506`	`506`	`}`
`507`	`507`	`)`
`508`	`508`
	`509`	`+ ##`
	`510`	`+ # :singleton-method: message_verifiers`
	`511`	`+ #`
	`512`	`+ # ActiveSupport::MessageVerifiers instance for Active Record. If you are using`
	`513`	`+ # Rails, this will be set to +Rails.application.message_verifiers+.`
	`514`	`+ singleton_class.attr_accessor :message_verifiers`
	`515`	`+`
`509`	`516`	`def self.eager_load!`
`510`	`517`	`super`
`511`	`518`	`ActiveRecord::Locking.eager_load!`