5.x devise-two-factor upgrade phase 1 #2501
Merged
+147
−49
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rgarner
force-pushed
the
3099-upgrade-devise-two-factor-to-5x
branch
4 times, most recently
from
cc3d575 to
5ad9dce
Compare
rgarner
changed the title
benshimmin
reviewed
Jan 22, 2025
rgarner
force-pushed
the
3099-upgrade-devise-two-factor-to-5x
branch
2 times, most recently
from
1c31b24 to
c2d6f80
Compare
benshimmin
approved these changes
Jan 24, 2025
rgarner
changed the title
All non-Rails 7 steps already completed from https://github.com/devise-two-factor/devise-two-factor/blob/main/UPGRADING.md#phase-1-upgrading-devise-two-factor-as-part-of-rails-7-upgrade Prior to release of this, we need to generate `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`, `ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`, and `ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT` for each environment, and make sure they are preloaded in AWS. These are required by Rails 7 for https://guides.rubyonrails.org/active_record_encryption.html which `devise_two_factor` 5.x uses to encrypt `otp_secret`s (4.x used the `attr_encrypted` gem). `bin/rails db:encryption:init` will generate all three; they are assigned on startup in `application.rb`. Run: `rails runner db/data/20250117151047_regenerate_otp_secrets.rb` on each environment in turn. `legacy_otp_secret` will cover the period that "new" otp_secrets are NULL. We can remove the old DB columns and `legacy_otp_secret` in a separate release: https://github.com/devise-two-factor/devise-two-factor/blob/main/UPGRADING.md#phase-2-clean-up In our case we won't need to copy otp_secret; because we're SMS-only we're able to do that in the Phase 1 release data migration. NOTES: - given that this is the first commit to `schema.rb` since the upgrade, some bits like `precision` go away with the Rails 7.0 upgrade
rgarner
force-pushed
the
3099-upgrade-devise-two-factor-to-5x
branch
from
c2d6f80 to
c35a150
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Post-release
Run:
rails runner db/data/20250117151047_regenerate_otp_secrets.rbon each environment in turn.User#legacy_otp_secretwill cover the period that "new" otp_secrets are NULL.Phase 2 Cleanup release
We can remove the old DB columns and
legacy_otp_secretin a separate release:https://github.com/devise-two-factor/devise-two-factor/blob/main/UPGRADING.md#phase-2-clean-up
In our case we won't need to copy otp_secret; because we're SMS-only we're able to do that in the Phase 1 release data
migration.
NOTES:
schema.rbsince the upgrade, some bits likeprecisiongo away with theRails 7.0 upgrade
Changes in this PR
Screenshots of UI changes
Before
After
Next steps
See the Plan checklist on https://trello.com/c/sXsThu5A/3099-upgrade-devise-two-factor-gem-from-4x-to-5x
CHANGELOG.md, unless this PR is a small tweak which has no impact outside the development team.