From e09853af0ced0eafb0182b1bbd60f07046c73524 Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Fri, 14 Nov 2025 09:05:23 +1100
Subject: [PATCH 1/2] Replace deprecated Rails secrets

Use new credentials interface.
---
 app/controllers/admin/stripe_accounts_controller.rb | 2 +-
 config/environments/test.rb                         | 3 ---
 config/initializers/secret_token.rb                 | 4 ++--
 lib/stripe/account_connector.rb                     | 2 +-
 spec/lib/stripe/account_connector_spec.rb           | 2 +-
 5 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/app/controllers/admin/stripe_accounts_controller.rb b/app/controllers/admin/stripe_accounts_controller.rb
index 3b094adc5e..371d1cdd2f 100644
--- a/app/controllers/admin/stripe_accounts_controller.rb
+++ b/app/controllers/admin/stripe_accounts_controller.rb
@@ -6,7 +6,7 @@ module Admin
   class StripeAccountsController < Spree::Admin::BaseController
     def connect
       payload = params.permit(:enterprise_id).to_h
-      key = Openfoodnetwork::Application.config.secret_token
+      key = Openfoodnetwork::Application.credentials.secret_token
       url_params = { state: JWT.encode(payload, key, 'HS256'), scope: "read_write" }
       redirect_to Stripe::OAuth.authorize_url(url_params)
     end
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 9fd47d1c3e..2dc933a434 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -74,9 +74,6 @@ Rails.application.configure do
     allowed_warnings = [
       # List strings here to allow matching deprecations.
       #
-      # `Rails.application.secrets` is deprecated in favor of `Rails.application.credentials` and will be removed in Rails 7.2
-      "Rails.application.secrets",
-
       "Passing the class as positional argument",
 
       # Spree::CreditCard model aliases `cc_type` and has a method called `cc_type=` defined. Starting in Rails 7.2 `brand=` will not be calling `cc_type=` anymore. You may want to additionally define `brand=` to preserve the current behavior.
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index e66b94f4b8..edfdd45ded 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -6,7 +6,7 @@
 # no regular words or you'll be exposed to dictionary attacks.
 
 # Rails 4+ key for signing and encrypting cookies.
-Openfoodnetwork::Application.config.secret_key_base = ENV["SECRET_TOKEN"]
+Openfoodnetwork::Application.credentials.secret_key_base = ENV["SECRET_TOKEN"]
 
 # Legacy secret_token variable. This is still used directly for encryption.
-Openfoodnetwork::Application.config.secret_token = ENV["SECRET_TOKEN"]
+Openfoodnetwork::Application.credentials.secret_token = ENV["SECRET_TOKEN"]
diff --git a/lib/stripe/account_connector.rb b/lib/stripe/account_connector.rb
index 7eb0fab237..dfb77e7c93 100644
--- a/lib/stripe/account_connector.rb
+++ b/lib/stripe/account_connector.rb
@@ -41,7 +41,7 @@ module Stripe
 
     def state
       # Returns the original payload
-      key = Openfoodnetwork::Application.config.secret_token
+      key = Openfoodnetwork::Application.credentials.secret_token
       JWT.decode(params["state"], key, true, algorithm: 'HS256')[0]
     end
 
diff --git a/spec/lib/stripe/account_connector_spec.rb b/spec/lib/stripe/account_connector_spec.rb
index c399a620fe..58d28360e7 100644
--- a/spec/lib/stripe/account_connector_spec.rb
+++ b/spec/lib/stripe/account_connector_spec.rb
@@ -10,7 +10,7 @@ module Stripe
       let(:user) { create(:user) }
       let(:enterprise) { create(:enterprise) }
       let(:payload) { { "junk" => "Ssfs" } }
-      let(:state) { JWT.encode(payload, Openfoodnetwork::Application.config.secret_token) }
+      let(:state) { JWT.encode(payload, Openfoodnetwork::Application.credentials.secret_token) }
       let(:params) { { "state" => state } }
       let(:connector) { AccountConnector.new(user, params) }
 

From e91fab57021164a5c4405f7ff094f647e99ae03f Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Fri, 19 Dec 2025 14:22:25 +1100
Subject: [PATCH 2/2] Remove legacy config for secret key

---
 app/controllers/admin/stripe_accounts_controller.rb | 2 +-
 config/initializers/secret_token.rb                 | 3 ---
 lib/stripe/account_connector.rb                     | 2 +-
 spec/lib/stripe/account_connector_spec.rb           | 2 +-
 4 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/app/controllers/admin/stripe_accounts_controller.rb b/app/controllers/admin/stripe_accounts_controller.rb
index 371d1cdd2f..9ff245bf18 100644
--- a/app/controllers/admin/stripe_accounts_controller.rb
+++ b/app/controllers/admin/stripe_accounts_controller.rb
@@ -6,7 +6,7 @@ module Admin
   class StripeAccountsController < Spree::Admin::BaseController
     def connect
       payload = params.permit(:enterprise_id).to_h
-      key = Openfoodnetwork::Application.credentials.secret_token
+      key = Rails.application.secret_key_base
       url_params = { state: JWT.encode(payload, key, 'HS256'), scope: "read_write" }
       redirect_to Stripe::OAuth.authorize_url(url_params)
     end
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index edfdd45ded..0f11ab5e6e 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -7,6 +7,3 @@
 
 # Rails 4+ key for signing and encrypting cookies.
 Openfoodnetwork::Application.credentials.secret_key_base = ENV["SECRET_TOKEN"]
-
-# Legacy secret_token variable. This is still used directly for encryption.
-Openfoodnetwork::Application.credentials.secret_token = ENV["SECRET_TOKEN"]
diff --git a/lib/stripe/account_connector.rb b/lib/stripe/account_connector.rb
index dfb77e7c93..ae14e06ebc 100644
--- a/lib/stripe/account_connector.rb
+++ b/lib/stripe/account_connector.rb
@@ -41,7 +41,7 @@ module Stripe
 
     def state
       # Returns the original payload
-      key = Openfoodnetwork::Application.credentials.secret_token
+      key = Rails.application.secret_key_base
       JWT.decode(params["state"], key, true, algorithm: 'HS256')[0]
     end
 
diff --git a/spec/lib/stripe/account_connector_spec.rb b/spec/lib/stripe/account_connector_spec.rb
index 58d28360e7..0108fbaa72 100644
--- a/spec/lib/stripe/account_connector_spec.rb
+++ b/spec/lib/stripe/account_connector_spec.rb
@@ -10,7 +10,7 @@ module Stripe
       let(:user) { create(:user) }
       let(:enterprise) { create(:enterprise) }
       let(:payload) { { "junk" => "Ssfs" } }
-      let(:state) { JWT.encode(payload, Openfoodnetwork::Application.credentials.secret_token) }
+      let(:state) { JWT.encode(payload, Rails.application.secret_key_base) }
       let(:params) { { "state" => state } }
       let(:connector) { AccountConnector.new(user, params) }