Only allow new token to be viewed within 10 seconds

This commit is contained in:
David Heinemeier Hansson
2025-12-02 15:03:17 +01:00
committed by Stanko K.R.
parent d2bdd13909
commit 96b62d6ec4
3 changed files with 46 additions and 2 deletions
+15 -2
View File
@@ -3,13 +3,22 @@ class My::AccessTokensController < ApplicationController
@access_tokens = Current.identity.access_tokens.order(created_at: :desc)
end
def show
access_token_id = verifier.verify(params[:id])
@access_token = Current.identity.access_tokens.find(access_token_id)
rescue ActiveSupport::MessageVerifier::InvalidSignature
redirect_to my_access_tokens_path, alert: "Token is no longer visible"
end
def new
@access_token = Current.identity.access_tokens.new
end
def create
@access_token = Current.identity.access_tokens.create!(access_token_params)
redirect_to my_access_tokens_path
access_token = Current.identity.access_tokens.create!(access_token_params)
expiring_id = verifier.generate access_token.id, expires_in: 10.seconds
redirect_to my_access_token_path(expiring_id)
end
def destroy
@@ -21,4 +30,8 @@ class My::AccessTokensController < ApplicationController
def access_token_params
params.expect(access_token: [ :description, :permission ])
end
def verifier
Rails.application.message_verifier(:access_tokens)
end
end
+1
View File
@@ -0,0 +1 @@
<%= @access_token.token %>
@@ -0,0 +1,30 @@
require "test_helper"
class My::AccessTokensControllerTest < ActionDispatch::IntegrationTest
setup do
sign_in_as :kevin
end
test "create new token" do
get my_access_tokens_path
assert_response :success
get new_my_access_token_path
assert_response :success
assert_changes -> { identities(:kevin).access_tokens.count }, +1 do
post my_access_tokens_path, params: { access_token: { description: "GitHub", permission: "read" } }
follow_redirect!
assert_in_body identities(:kevin).access_tokens.last.token
end
end
test "accessing new token after reveal window redirects to index" do
assert_changes -> { identities(:kevin).access_tokens.count }, +1 do
post my_access_tokens_path, params: { access_token: { description: "GitHub", permission: "read" } }
travel_to 15.seconds.from_now
follow_redirect!
assert_equal "Token is no longer visible", flash[:alert]
end
end
end