Fix new personal access token showing up in a flash message

116d8cfc · Eric Eastwood · e0f84130 · 116d8cfc · 116d8cfc · 116d8cfc
Commit 116d8cfc authored Dec 03, 2017 by Eric Eastwood
4 changed files
--- a/app/controllers/profiles/personal_access_tokens_controller.rb
+++ b/app/controllers/profiles/personal_access_tokens_controller.rb
@@ -8,7 +8,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
    @personal_access_token = finder.build(personal_access_token_params)

    if @personal_access_token.save
-      flash[:personal_access_token] = @personal_access_token.token
+      PersonalAccessToken.redis_store!(current_user.id, @personal_access_token.token)
      redirect_to profile_personal_access_tokens_path, notice: "Your new personal access token has been created."
    else
      set_index_vars
@@ -43,5 +43,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController

    @inactive_personal_access_tokens = finder(state: 'inactive').execute
    @active_personal_access_tokens = finder(state: 'active').execute.order(:expires_at)
+
+    @new_personal_access_token = PersonalAccessToken.redis_getdel(current_user.id)
  end
 end
--- a/app/models/personal_access_token.rb
+++ b/app/models/personal_access_token.rb
@@ -3,6 +3,8 @@ class PersonalAccessToken < ActiveRecord::Base
  include TokenAuthenticatable
  add_authentication_token_field :token

+  REDIS_EXPIRY_TIME = 3.minutes
+
  serialize :scopes, Array # rubocop:disable Cop/ActiveRecordSerialize

  belongs_to :user
@@ -27,6 +29,21 @@ class PersonalAccessToken < ActiveRecord::Base
    !revoked? && !expired?
  end

+  def self.redis_getdel(user_id)
+    Gitlab::Redis::SharedState.with do |redis|
+      token = redis.get(redis_shared_state_key(user_id))
+      redis.del(redis_shared_state_key(user_id))
+      token
+    end
+  end
+
+  def self.redis_store!(user_id, token)
+    Gitlab::Redis::SharedState.with do |redis|
+      redis.set(redis_shared_state_key(user_id), token, ex: REDIS_EXPIRY_TIME)
+      token
+    end
+  end
+
  protected

  def validate_scopes
@@ -38,4 +55,8 @@ class PersonalAccessToken < ActiveRecord::Base
  def set_default_scopes
    self.scopes = Gitlab::Auth::DEFAULT_SCOPES if self.scopes.empty?
  end
+
+  def self.redis_shared_state_key(user_id)
+    "gitlab:personal_access_token:#{user_id}"
+  end
 end
--- a/app/views/profiles/personal_access_tokens/index.html.haml
+++ b/app/views/profiles/personal_access_tokens/index.html.haml
@@ -15,14 +15,13 @@
      They are the only accepted password when you have Two-Factor Authentication (2FA) enabled.

  .col-lg-8
-
-    - if flash[:personal_access_token]
+    - if @new_personal_access_token
      .created-personal-access-token-container
        %h5.prepend-top-0
          Your New Personal Access Token
        .form-group
-          = text_field_tag 'created-personal-access-token', flash[:personal_access_token], readonly: true, class: "form-control js-select-on-focus", 'aria-describedby' => "created-personal-access-token-help-block"
-          = clipboard_button(text: flash[:personal_access_token], title: "Copy personal access token to clipboard", placement: "left")
+          = text_field_tag 'created-personal-access-token', @new_personal_access_token, readonly: true, class: "form-control js-select-on-focus", 'aria-describedby' => "created-personal-access-token-help-block"
+          = clipboard_button(text: @new_personal_access_token, title: "Copy personal access token to clipboard", placement: "left")
          %span#created-personal-access-token-help-block.help-block.text-danger Make sure you save it - you won't be able to access it again.

      %hr

--- a/spec/models/personal_access_token_spec.rb
+++ b/spec/models/personal_access_token_spec.rb
 require 'spec_helper'

 describe PersonalAccessToken do
+  subject { described_class }
+
  describe '.build' do
    let(:personal_access_token) { build(:personal_access_token) }
    let(:invalid_personal_access_token) { build(:personal_access_token, :invalid) }
@@ -45,6 +47,29 @@ describe PersonalAccessToken do
    end
  end

+  describe 'Redis storage' do
+    let(:user_id) { 123 }
+    let(:token) { 'abc000foo' }
+
+    before do
+      subject.redis_store!(user_id, token)
+    end
+
+    it 'returns stored data' do
+      expect(subject.redis_getdel(user_id)).to eq(token)
+    end
+
+    context 'after deletion' do
+      before do
+        expect(subject.redis_getdel(user_id)).to eq(token)
+      end
+
+      it 'token is removed' do
+        expect(subject.redis_getdel(user_id)).to be_nil
+      end
+    end
+  end
+
  context "validations" do
    let(:personal_access_token) { build(:personal_access_token) }