Watch out for this one deprecation warning when upgrading from Rails 7.1 to 7.2 on Heroku
… and check why 5600+ Rails engineers read also this
Watch out for this one deprecation warning when upgrading from Rails 7.1 to 7.2 on Heroku
We recently upgraded Rails from 7.0 to 7.1 for one of our clients. It went smoothly. When Rails 7.1 went live, we were pleased to see a new set of deprecation warnings. To avoid being overwhelmed by them, we decided to address the issue right away. However, we ran into a nasty issue…
The one with nasty issue
The application didn’t crash.
The server wasn’t throwing 500s like a crazy Viking throwing axes.
Either of those would have been better. The worst that can happen is silence.
The deprecation warning was:
[DEPRECATION] DEPRECATION WARNING: `Rails.application.secrets` is deprecated
in favor of `Rails.application.credentials` and will be removed in Rails 7.2.
We moved all the secrets and encrypted secrets to the credentials file.
We also moved the secret_key_base to credentials because it’s the default place for this secret since introduction of the credentials feature in Rails 5.2.
We removed values from ENV["SECRET_KEY_BASE"] to credentials and checked that the value was correct by calling
Rails.application.credentials.secret_key_base.
It turned out that you can also get the secret_key_base by calling Rails.application.secret_key_base.
Let’s take a look at this code:
def secret_key_base
if Rails.env.development? || Rails.env.test?
secrets.secret_key_base ||= generate_development_secret
else
validate_secret_key_base(
ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base
)
end
end
Ok so to sum it up, until now:
- We removed ENV
- So it should take the value from credentials
Right? But instead…
Instead it failed silently. All the cookies become invalid. So where’s the poop?
The poop is in Heroku trying to be smarter than developers. Unfortunately. It turned out that removing SECRET_KEY_BASE env leads to… regenerating it with new random value.
So our external devices depending on it couldn’t work because of new, randomly generated key.
Summary
To sum it up:
- If you’re getting rid of the
Rails.application.secretsis deprecated in favor ofRails.application.credentialsand will be removed in Rails 7.2 - And you’re on Heroku
- And you’re using Heroku Buildpacks
- Make sure you keep
SECRET_KEY_BASEin both credentials and in Heroku config variable. Or at least in the latter. - Either way… you may end up in nasty silent error. Which is not good.