diff --git a/app/controllers/my/access_tokens_controller.rb b/app/controllers/my/access_tokens_controller.rb index 1f6c9806c..c39a6c973 100644 --- a/app/controllers/my/access_tokens_controller.rb +++ b/app/controllers/my/access_tokens_controller.rb @@ -3,13 +3,22 @@ class My::AccessTokensController < ApplicationController @access_tokens = Current.identity.access_tokens.order(created_at: :desc) end + def show + access_token_id = verifier.verify(params[:id]) + @access_token = Current.identity.access_tokens.find(access_token_id) + rescue ActiveSupport::MessageVerifier::InvalidSignature + redirect_to my_access_tokens_path, alert: "Token is no longer visible" + end + def new @access_token = Current.identity.access_tokens.new end def create - @access_token = Current.identity.access_tokens.create!(access_token_params) - redirect_to my_access_tokens_path + access_token = Current.identity.access_tokens.create!(access_token_params) + expiring_id = verifier.generate access_token.id, expires_in: 10.seconds + + redirect_to my_access_token_path(expiring_id) end def destroy @@ -21,4 +30,8 @@ class My::AccessTokensController < ApplicationController def access_token_params params.expect(access_token: [ :description, :permission ]) end + + def verifier + Rails.application.message_verifier(:access_tokens) + end end diff --git a/app/views/my/access_tokens/show.html.erb b/app/views/my/access_tokens/show.html.erb new file mode 100644 index 000000000..f0551ffad --- /dev/null +++ b/app/views/my/access_tokens/show.html.erb @@ -0,0 +1 @@ +<%= @access_token.token %> diff --git a/test/controllers/my/access_tokens_controller_test.rb b/test/controllers/my/access_tokens_controller_test.rb new file mode 100644 index 000000000..43a90fac5 --- /dev/null +++ b/test/controllers/my/access_tokens_controller_test.rb @@ -0,0 +1,30 @@ +require "test_helper" + +class My::AccessTokensControllerTest < ActionDispatch::IntegrationTest + setup do + sign_in_as :kevin + end + + test "create new token" do + get my_access_tokens_path + assert_response :success + + get new_my_access_token_path + assert_response :success + + assert_changes -> { identities(:kevin).access_tokens.count }, +1 do + post my_access_tokens_path, params: { access_token: { description: "GitHub", permission: "read" } } + follow_redirect! + assert_in_body identities(:kevin).access_tokens.last.token + end + end + + test "accessing new token after reveal window redirects to index" do + assert_changes -> { identities(:kevin).access_tokens.count }, +1 do + post my_access_tokens_path, params: { access_token: { description: "GitHub", permission: "read" } } + travel_to 15.seconds.from_now + follow_redirect! + assert_equal "Token is no longer visible", flash[:alert] + end + end +end