Only allow new token to be viewed within 10 seconds
This commit is contained in:
committed by
Stanko K.R.
parent
d2bdd13909
commit
96b62d6ec4
@@ -3,13 +3,22 @@ class My::AccessTokensController < ApplicationController
|
||||
@access_tokens = Current.identity.access_tokens.order(created_at: :desc)
|
||||
end
|
||||
|
||||
def show
|
||||
access_token_id = verifier.verify(params[:id])
|
||||
@access_token = Current.identity.access_tokens.find(access_token_id)
|
||||
rescue ActiveSupport::MessageVerifier::InvalidSignature
|
||||
redirect_to my_access_tokens_path, alert: "Token is no longer visible"
|
||||
end
|
||||
|
||||
def new
|
||||
@access_token = Current.identity.access_tokens.new
|
||||
end
|
||||
|
||||
def create
|
||||
@access_token = Current.identity.access_tokens.create!(access_token_params)
|
||||
redirect_to my_access_tokens_path
|
||||
access_token = Current.identity.access_tokens.create!(access_token_params)
|
||||
expiring_id = verifier.generate access_token.id, expires_in: 10.seconds
|
||||
|
||||
redirect_to my_access_token_path(expiring_id)
|
||||
end
|
||||
|
||||
def destroy
|
||||
@@ -21,4 +30,8 @@ class My::AccessTokensController < ApplicationController
|
||||
def access_token_params
|
||||
params.expect(access_token: [ :description, :permission ])
|
||||
end
|
||||
|
||||
def verifier
|
||||
Rails.application.message_verifier(:access_tokens)
|
||||
end
|
||||
end
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
<%= @access_token.token %>
|
||||
@@ -0,0 +1,30 @@
|
||||
require "test_helper"
|
||||
|
||||
class My::AccessTokensControllerTest < ActionDispatch::IntegrationTest
|
||||
setup do
|
||||
sign_in_as :kevin
|
||||
end
|
||||
|
||||
test "create new token" do
|
||||
get my_access_tokens_path
|
||||
assert_response :success
|
||||
|
||||
get new_my_access_token_path
|
||||
assert_response :success
|
||||
|
||||
assert_changes -> { identities(:kevin).access_tokens.count }, +1 do
|
||||
post my_access_tokens_path, params: { access_token: { description: "GitHub", permission: "read" } }
|
||||
follow_redirect!
|
||||
assert_in_body identities(:kevin).access_tokens.last.token
|
||||
end
|
||||
end
|
||||
|
||||
test "accessing new token after reveal window redirects to index" do
|
||||
assert_changes -> { identities(:kevin).access_tokens.count }, +1 do
|
||||
post my_access_tokens_path, params: { access_token: { description: "GitHub", permission: "read" } }
|
||||
travel_to 15.seconds.from_now
|
||||
follow_redirect!
|
||||
assert_equal "Token is no longer visible", flash[:alert]
|
||||
end
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user