Commit 12d33b88 authored by Grzegorz Bizon's avatar Grzegorz Bizon 🔴

Merge branch '40754-fix-flash-usage-with-personal-access-token' into 'master'

Fix new personal access token showing up in a flash message

Closes #40754

See merge request gitlab-org/gitlab-ce!15707
parents eea671a2 116d8cfc
Pipeline #14872639 passed with stages
in 67 minutes and 56 seconds
......@@ -8,7 +8,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
@personal_access_token = finder.build(personal_access_token_params)
if @personal_access_token.save
flash[:personal_access_token] = @personal_access_token.token
PersonalAccessToken.redis_store!(current_user.id, @personal_access_token.token)
redirect_to profile_personal_access_tokens_path, notice: "Your new personal access token has been created."
else
set_index_vars
......@@ -43,5 +43,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
@inactive_personal_access_tokens = finder(state: 'inactive').execute
@active_personal_access_tokens = finder(state: 'active').execute.order(:expires_at)
@new_personal_access_token = PersonalAccessToken.redis_getdel(current_user.id)
end
end
......@@ -3,6 +3,8 @@ class PersonalAccessToken < ActiveRecord::Base
include TokenAuthenticatable
add_authentication_token_field :token
REDIS_EXPIRY_TIME = 3.minutes
serialize :scopes, Array # rubocop:disable Cop/ActiveRecordSerialize
belongs_to :user
......@@ -27,6 +29,21 @@ class PersonalAccessToken < ActiveRecord::Base
!revoked? && !expired?
end
def self.redis_getdel(user_id)
Gitlab::Redis::SharedState.with do |redis|
token = redis.get(redis_shared_state_key(user_id))
redis.del(redis_shared_state_key(user_id))
token
end
end
def self.redis_store!(user_id, token)
Gitlab::Redis::SharedState.with do |redis|
redis.set(redis_shared_state_key(user_id), token, ex: REDIS_EXPIRY_TIME)
token
end
end
protected
def validate_scopes
......@@ -38,4 +55,8 @@ class PersonalAccessToken < ActiveRecord::Base
def set_default_scopes
self.scopes = Gitlab::Auth::DEFAULT_SCOPES if self.scopes.empty?
end
def self.redis_shared_state_key(user_id)
"gitlab:personal_access_token:#{user_id}"
end
end
......@@ -15,14 +15,13 @@
They are the only accepted password when you have Two-Factor Authentication (2FA) enabled.
.col-lg-8
- if flash[:personal_access_token]
- if @new_personal_access_token
.created-personal-access-token-container
%h5.prepend-top-0
Your New Personal Access Token
.form-group
= text_field_tag 'created-personal-access-token', flash[:personal_access_token], readonly: true, class: "form-control js-select-on-focus", 'aria-describedby' => "created-personal-access-token-help-block"
= clipboard_button(text: flash[:personal_access_token], title: "Copy personal access token to clipboard", placement: "left")
= text_field_tag 'created-personal-access-token', @new_personal_access_token, readonly: true, class: "form-control js-select-on-focus", 'aria-describedby' => "created-personal-access-token-help-block"
= clipboard_button(text: @new_personal_access_token, title: "Copy personal access token to clipboard", placement: "left")
%span#created-personal-access-token-help-block.help-block.text-danger Make sure you save it - you won't be able to access it again.
%hr
......
require 'spec_helper'
describe PersonalAccessToken do
subject { described_class }
describe '.build' do
let(:personal_access_token) { build(:personal_access_token) }
let(:invalid_personal_access_token) { build(:personal_access_token, :invalid) }
......@@ -45,6 +47,29 @@ describe PersonalAccessToken do
end
end
describe 'Redis storage' do
let(:user_id) { 123 }
let(:token) { 'abc000foo' }
before do
subject.redis_store!(user_id, token)
end
it 'returns stored data' do
expect(subject.redis_getdel(user_id)).to eq(token)
end
context 'after deletion' do
before do
expect(subject.redis_getdel(user_id)).to eq(token)
end
it 'token is removed' do
expect(subject.redis_getdel(user_id)).to be_nil
end
end
end
context "validations" do
let(:personal_access_token) { build(:personal_access_token) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment