From 4556eace3b750e13366cf53ab12d8194a0b2ccdc Mon Sep 17 00:00:00 2001
From: Bruce Bolt <bruce.bolt@digital.cabinet-office.gov.uk>
Date: Wed, 29 Nov 2023 13:55:17 +0000
Subject: [PATCH] Resolve `Rails.application.secrets` deprecation warning

In Rails 7.2, `Rails.application.secrets` is being deprecated.

We can solve this issue by using the `config_for` method, which will
rerieve the relevant secret from the `config/secrets.yml` file.

This differs from the method used in other applications (example:
https://github.com/alphagov/transition/pull/1439/commits/2d769bddc038f426f90694d2182b04c34c2af691)
since we require the secret to be set before `config/application.rb` is
executed. This occurs before intializers are run, so the alternative
method is not suitable here.
---
 app/controllers/media_controller.rb                 |  2 +-
 config/application.rb                               |  2 +-
 spec/controllers/media_controller_spec.rb           |  6 +++---
 spec/controllers/whitehall_media_controller_spec.rb |  4 ++--
 spec/requests/media_requests_spec.rb                | 10 +++++-----
 spec/requests/whitehall_media_requests_spec.rb      |  4 ++--
 6 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 5f3c5590..d8074233 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -173,7 +173,7 @@ def temporary_redirect?
   def set_token_payload
     token = params.fetch(:token, cookies[:auth_bypass_token])
     @token_payload = if token
-                       secret = Rails.application.secrets.jwt_auth_secret
+                       secret = Rails.application.config_for(:secrets).jwt_auth_secret
                        JWT.decode(token, secret, true, algorithm: "HS256").first
                      end
   rescue JWT::DecodeError
diff --git a/config/application.rb b/config/application.rb
index 4c52db66..4086e195 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -44,7 +44,7 @@ class Application < Rails::Application
 
     config.assets.prefix = "/asset-manager"
 
-    unless Rails.application.secrets.jwt_auth_secret
+    unless Rails.application.config_for(:secrets).jwt_auth_secret
       raise "JWT auth secret is not configured. See config/secrets.yml"
     end
   end
diff --git a/spec/controllers/media_controller_spec.rb b/spec/controllers/media_controller_spec.rb
index 5cc47543..7bcec48b 100644
--- a/spec/controllers/media_controller_spec.rb
+++ b/spec/controllers/media_controller_spec.rb
@@ -417,7 +417,7 @@ def download
         let(:token_with_draft_asset_manager_access) do
           JWT.encode(
             { "draft_asset_manager_access" => true },
-            Rails.application.secrets.jwt_auth_secret,
+            Rails.application.config_for(:secrets).jwt_auth_secret,
             "HS256",
           )
         end
@@ -447,14 +447,14 @@ def download
       let(:valid_token) do
         JWT.encode(
           { "sub" => auth_bypass_id },
-          Rails.application.secrets.jwt_auth_secret,
+          Rails.application.config_for(:secrets).jwt_auth_secret,
           "HS256",
         )
       end
       let(:token_with_draft_asset_manager_access) do
         JWT.encode(
           { "draft_asset_manager_access" => true },
-          Rails.application.secrets.jwt_auth_secret,
+          Rails.application.config_for(:secrets).jwt_auth_secret,
           "HS256",
         )
       end
diff --git a/spec/controllers/whitehall_media_controller_spec.rb b/spec/controllers/whitehall_media_controller_spec.rb
index a5e60307..10802430 100644
--- a/spec/controllers/whitehall_media_controller_spec.rb
+++ b/spec/controllers/whitehall_media_controller_spec.rb
@@ -212,14 +212,14 @@
       let(:valid_token) do
         JWT.encode(
           { "sub" => auth_bypass_id },
-          Rails.application.secrets.jwt_auth_secret,
+          Rails.application.config_for(:secrets).jwt_auth_secret,
           "HS256",
         )
       end
       let(:token_with_draft_asset_manager_access) do
         JWT.encode(
           { "draft_asset_manager_access" => true },
-          Rails.application.secrets.jwt_auth_secret,
+          Rails.application.config_for(:secrets).jwt_auth_secret,
           "HS256",
         )
       end
diff --git a/spec/requests/media_requests_spec.rb b/spec/requests/media_requests_spec.rb
index 3dc0de35..1bf30747 100644
--- a/spec/requests/media_requests_spec.rb
+++ b/spec/requests/media_requests_spec.rb
@@ -106,7 +106,7 @@
       end
 
       it "serves the asset with a valid token" do
-        secret = Rails.application.secrets.jwt_auth_secret
+        secret = Rails.application.config_for(:secrets).jwt_auth_secret
         valid_token = JWT.encode({ "sub" => auth_bypass_id }, secret, "HS256")
         get download_media_path(id: asset, filename: "asset.png", params: { token: valid_token })
         expect(response).to be_successful
@@ -129,7 +129,7 @@
       end
 
       it "serves the asset with a valid token" do
-        secret = Rails.application.secrets.jwt_auth_secret
+        secret = Rails.application.config_for(:secrets).jwt_auth_secret
         valid_token = JWT.encode({ "sub" => auth_bypass_id }, secret, "HS256")
         get download_media_path(id: asset, filename: "asset.png", params: { token: valid_token })
         expect(response).to be_successful
@@ -153,7 +153,7 @@
       end
 
       it "serves the asset with a valid token" do
-        secret = Rails.application.secrets.jwt_auth_secret
+        secret = Rails.application.config_for(:secrets).jwt_auth_secret
         valid_token = JWT.encode({ "sub" => auth_bypass_id }, secret, "HS256")
         get download_media_path(id: asset, filename: "asset.png", params: { token: valid_token })
         expect(response).to be_successful
@@ -180,7 +180,7 @@
       end
 
       it "serves the asset with a valid token" do
-        secret = Rails.application.secrets.jwt_auth_secret
+        secret = Rails.application.config_for(:secrets).jwt_auth_secret
         valid_token = JWT.encode({ "sub" => auth_bypass_id }, secret, "HS256")
         get download_media_path(id: asset, filename: "asset.png", params: { token: valid_token })
         expect(response).to be_successful
@@ -203,7 +203,7 @@
       end
 
       it "serves the asset with a valid token" do
-        secret = Rails.application.secrets.jwt_auth_secret
+        secret = Rails.application.config_for(:secrets).jwt_auth_secret
         valid_token = JWT.encode({ "sub" => auth_bypass_id }, secret, "HS256")
         get download_media_path(id: asset, filename: "asset.png", params: { token: valid_token })
         expect(response).to be_successful
diff --git a/spec/requests/whitehall_media_requests_spec.rb b/spec/requests/whitehall_media_requests_spec.rb
index 83b6eb56..624dead8 100644
--- a/spec/requests/whitehall_media_requests_spec.rb
+++ b/spec/requests/whitehall_media_requests_spec.rb
@@ -133,8 +133,8 @@
     let(:path) { "/government/uploads/asset.png" }
     let(:auth_bypass_id) { "bypass-id" }
 
-    let(:valid_token) { JWT.encode({ "sub" => auth_bypass_id }, Rails.application.secrets.jwt_auth_secret, "HS256") }
-    let(:token_without_access) { JWT.encode({ "sub" => "not-the-right-bypass-id" }, Rails.application.secrets.jwt_auth_secret, "HS256") }
+    let(:valid_token) { JWT.encode({ "sub" => auth_bypass_id }, Rails.application.config_for(:secrets).jwt_auth_secret, "HS256") }
+    let(:token_without_access) { JWT.encode({ "sub" => "not-the-right-bypass-id" }, Rails.application.config_for(:secrets).jwt_auth_secret, "HS256") }
 
     context "when the asset is not access limited" do
       let(:asset) do