From b7e967817b95cb8e055f82f200a1e974926b8ed7 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Mon, 26 May 2025 13:59:54 +0200
Subject: [PATCH] Fix unnecessary requirement for deprecated OTP_SECRET
 environment variable (#34810)

---
 config/environments/production.rb                    |  7 -------
 config/environments/test.rb                          |  3 ---
 ...240307180905_migrate_devise_two_factor_secrets.rb | 12 +++++++++++-
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 08923ca108..14f0e6d085 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -150,13 +150,6 @@ Rails.application.configure do
     'Referrer-Policy' => 'same-origin',
   }
 
-  # TODO: Remove once devise-two-factor data migration complete
-  config.x.otp_secret = if ENV['SECRET_KEY_BASE_DUMMY']
-                          SecureRandom.hex(64)
-                        else
-                          ENV.fetch('OTP_SECRET')
-                        end
-
   # Enable DNS rebinding protection and other `Host` header attacks.
   # config.hosts = [
   #   "example.com",     # Allow requests from example.com
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 5406eac9ec..ccd4bf7dcf 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -48,9 +48,6 @@ Rails.application.configure do
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
 
-  # TODO: Remove once devise-two-factor data migration complete
-  config.x.otp_secret = '100c7faeef00caa29242f6b04156742bf76065771fd4117990c4282b8748ff3d99f8fdae97c982ab5bd2e6756a159121377cce4421f4a8ecd2d67bd7749a3fb4'
-
   # Generate random VAPID keys
   vapid_key = Webpush.generate_key
   config.x.vapid_private_key = vapid_key.private_key
diff --git a/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb b/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb
index d34128796c..aec84e178c 100644
--- a/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb
+++ b/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb
@@ -79,8 +79,18 @@ class MigrateDeviseTwoFactorSecrets < ActiveRecord::Migration[7.1]
   class MigrationUser < ApplicationRecord
     self.table_name = :users
 
+    LEGACY_OTP_SECRET = begin
+      if Rails.env.test?
+        '100c7faeef00caa29242f6b04156742bf76065771fd4117990c4282b8748ff3d99f8fdae97c982ab5bd2e6756a159121377cce4421f4a8ecd2d67bd7749a3fb4'
+      elsif ENV['SECRET_KEY_BASE_DUMMY']
+        SecureRandom.hex(64)
+      else
+        ENV.fetch('OTP_SECRET')
+      end
+    end
+
     devise :two_factor_authenticatable,
-           otp_secret_encryption_key: Rails.configuration.x.otp_secret
+           otp_secret_encryption_key: LEGACY_OTP_SECRET
 
     include LegacyOtpSecret
   end