From 03d49c798761e003dd85abb3e6afe2a83b97920b Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Tue, 10 Nov 2020 20:46:15 +0000
Subject: [PATCH 1/2] Update secret key base

`secret_token` is no longer used in Rails 4+
---
 config/initializers/secret_token.rb | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index b203cf8485..a4ddd79a5e 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -3,11 +3,5 @@
 # Your secret key for verifying the integrity of signed cookies.
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks. 
-Openfoodnetwork::Application.config.secret_token = if Rails.env.development? or Rails.env.test?
-  ('x' * 30) # Meets basic minimum of 30 chars.
-else
-  ENV["SECRET_TOKEN"]
-end
-
-Openfoodnetwork::Application.config.secret_key_base = 'ceb1eb86c50285e696f899b2e7ea306d1ec1e81fe5c7af0e5cbc238bebe3fd60f19df7b9076fab836182821ebe14e41b64bdcdb4370520dc5bb711c1bc0ae616'
+# no regular words or you'll be exposed to dictionary attacks.
+Openfoodnetwork::Application.config.secret_key_base = ENV["SECRET_TOKEN"]

From 1cad631bdb802e6c5110c04c520dcb3c0a357e72 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Tue, 10 Nov 2020 23:36:54 +0000
Subject: [PATCH 2/2] Replace secret_token and update comments

`secret_token` is apparently still called directly in other places...
---
 config/initializers/secret_token.rb | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index a4ddd79a5e..565c65de2f 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -4,4 +4,15 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Openfoodnetwork::Application.config.secret_key_base = ENV["SECRET_TOKEN"]
+
+secret_key = if Rails.env.development? or Rails.env.test?
+  ('x' * 30) # Meets basic minimum of 30 chars.
+else
+  ENV["SECRET_TOKEN"]
+end
+
+# Rails 4+ key for signing and encrypting cookies.
+Openfoodnetwork::Application.config.secret_key_base = secret_key
+
+# Legacy secret_token variable. This is still used directly for encryption.
+Openfoodnetwork::Application.config.secret_token = secret_key