Existing cookies not decrypting after updating Rails 7.1.5.1 to 7.2.2.1

Anybody encountered this?

I made a step-up update from Rails 7.1.5.1 to 7.2.2.1 (on my way to Rails 8). Didn’t touch any Message Encryptor/Verifier related settings, not that I’d set any in the first place. Didn’t change any creds, nothing. Now my encrypted cookie (still sitting in the browser from the previous version of Rails) can no longer be read, shows up as nil.

As soon as I stash the update in git stash, Rails starts understanding the cookie again.

Why can’t the new Rails version read this cookie? I don’t see any mention of this in the upgrade guide. Can’t just sign out everybody.

Just discovered that Rails.application.secret_key_base is not the same before and after upgrade. In 7.1 in reads it from credentials. In 7.2 I have no idea what it’s doing. Just deleted tmp/local_secret.txt but it keeps creating a new one there every time I check Rails.application.secret_key_base. It won’t look in credentials anymore.

Yeah, basically this code seems incorrect. It always generates a new secret, and never honors the secret stored in credentials when in a local environment. Am I missing something?

If I set it manually like this in my development.rb, then it works:

config.secret_key_base = credentials[:secret_key_base]

but this should be the default behavior, no?

Ended up making an issue. I think I see now what the intention was, but at the very least this should be documented in the Rails upgrade guide. Rails no longer looks for `secret_key_base` in credentials (in development) · Issue #54277 · rails/rails · GitHub

Yep, the issue was confirmed to be a bug in Rails. Will be fixed soon.