♻️ Replace deprecated controller-level force_ssl

Replace deprecated controller-level `force_ssl` with equivalent configuration settings in preparation for the Rails 6.1 upgrade.
department-of-veterans-affairs · Aug 27, 2024 · 42e016d · 42e016d
1 parent 4e93c0d
commit 42e016d
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 12 deletions.
diff --git a/app/controllers/api/application_controller.rb b/app/controllers/api/application_controller.rb
@@ -5,7 +5,6 @@ class Api::ApplicationController < ActionController::Base
 
   include TrackRequestId
 
-  force_ssl if: :ssl_enabled?
   before_action :strict_transport_security
 
   before_action :setup_fakes,
@@ -51,10 +50,6 @@ def unauthorized
     render json: { status: "unauthorized" }, status: :unauthorized
   end
 
-  def ssl_enabled?
-    Rails.env.production?
-  end
-
   def strict_transport_security
     response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" if request.ssl?
   end

diff --git a/app/controllers/application_base_controller.rb b/app/controllers/application_base_controller.rb
@@ -8,7 +8,6 @@ class ApplicationBaseController < ActionController::Base
 
   include TrackRequestId
 
-  force_ssl if: :ssl_enabled?
   before_action :check_out_of_service
   before_action :strict_transport_security
 
@@ -35,10 +34,6 @@ def check_out_of_service
     render "out_of_service", layout: "application" if Rails.cache.read("out_of_service")
   end
 
-  def ssl_enabled?
-    Rails.env.production?
-  end
-
   def strict_transport_security
     response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains" if request.ssl?
   end

diff --git a/app/services/deprecation_warnings/disallowed_deprecations.rb b/app/services/deprecation_warnings/disallowed_deprecations.rb
@@ -24,7 +24,8 @@ class ::DisallowedDeprecationError < StandardError; end
     /ActionView::Base instances must implement `compiled_method_container`/,
     /render file: should be given the absolute path to a file/,
     /`ActiveRecord::Result#to_hash` has been renamed to `to_a`/,
-    /Class level methods will no longer inherit scoping/
+    /Class level methods will no longer inherit scoping/,
+    /Controller-level `force_ssl` is deprecated and will be removed from Rails 6\.1/
   ].freeze
 
   # Regular expressions for deprecation warnings that should raise an exception on detection

diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -44,7 +44,10 @@
   # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
+
+  require_relative "../../app/policies/ssl_redirect_exclusion_policy"
+  config.ssl_options = { redirect: { exclude: SslRedirectExclusionPolicy } }
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.