Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not overwrite secret token value when already present. #18918

Merged
merged 1 commit into from
Feb 13, 2015
Merged

Do not overwrite secret token value when already present. #18918

merged 1 commit into from
Feb 13, 2015

Conversation

morgoth
Copy link
Member

@morgoth morgoth commented Feb 12, 2015 

user = User.create(token: "custom-secure-token")
user.token # => "custom-secure-token"

I'm aware that has_secure_token is a simple method that shouldn't fit in all possible use cases, but this change is very small and adds some flexibility.
Previously it was little unexpected to get User.create(token: "custom").token #=> "some-random-string"

@morgoth
Do not overwrite secret token value when already present.
0817bb0 
```
user = User.create(token: "custom-secure-token")
user.token # => "custom-secure-token"
```
kaspth
kaspth reviewed Feb 12, 2015
View reviewed changes
activerecord/test/cases/secure_token_test.rb
@@ -22,4 +22,11 @@ def test_regenerating_the_secure_token
assert_not_equal @user.token, old_token
assert_not_equal @user.auth_token, old_auth_token
end

def test_token_value_not_overwritten_when_present
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The callback used to generate a token is triggered before creating a record. Your test uses an existing record and the callback won't be triggered.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope - @user is a new instance of model User as you can see in setup: https://github.com/morgoth/rails/blob/do-not-overwrite-value-of-secret-token-when-present/activerecord/test/cases/secure_token_test.rb#L6

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, the diff hid that :)

@senny
Copy link
Member

senny commented Feb 13, 2015

@morgoth this looks reasonable. Thank you for your contribution 💛

senny added a commit that referenced this pull request Feb 13, 2015
@senny
Merge pull request #18918 from morgoth/do-not-overwrite-value-of-secr…
d0326bb 
…et-token-when-present

Do not overwrite secret token value when already present.
@senny senny merged commit d0326bb into rails:master Feb 13, 2015
@morgoth
Copy link
Member Author

morgoth commented Feb 13, 2015

@senny I just realized that has_secure_token was added in Rails 5.0 so maybe there is no need for my changelog as this feature is not available yet in stable release

@senny
Copy link
Member

senny commented Feb 13, 2015

@morgoth you're right. I removed the entry 57a1d2b

senny added a commit that referenced this pull request Feb 13, 2015
@senny
remove CHANGELOG entry for Rails 5.0 only feature. #18918
57a1d2b 
`has_secure_token` hasen't been released yet. No need to track
every change in the CHANGELOG.
@morgoth morgoth deleted the do-not-overwrite-value-of-secret-token-when-present branch March 31, 2015 19:26
@kmarekspartz kmarekspartz mentioned this pull request Aug 21, 2015
Closed
@dhh
Copy link
Member

dhh commented Aug 21, 2015

Can you explain the specific use case you have for this?

@morgoth
Copy link
Member Author

morgoth commented Aug 22, 2015

@dhh In example: discount coupons table with token as part of url. Admin can set fixed token for some specific users.
But, also previously it was little surprising writing: User.create(token: "custom").token #=> "some-random-string"

@dhh
Copy link
Member

dhh commented Aug 23, 2015

I see. I think that design muddies the waters of what "has_secure_token" means. These manually set values do not fulfill that description. It won't be what it says on the tin.

I would recommend that you have a separate method, like maybe slug, that will look for manual_slug || generated_slug where the latter is the secure token. Then it's clear what's happening.

Happy to consider other examples until we find one that can't be restated better without changing has_secure_token.

On Aug 22, 2015, at 01:39, Wojciech Wnętrzak notifications@github.com wrote:

@dhh In example: discount coupons table with token as part of url. Admin can set fixed token for some specific users.
But, also previously it was little surprising writing: User.create(token: "custom").token #=> "some-random-string"


Reply to this email directly or view it on GitHub.

@senny
Copy link
Member

senny commented Aug 24, 2015

I don't have a specific use-case either that would require this behavior. One thing to think about is what happens when assigning the attributes of one-record to a new one. For example in the case of serialization or cloning.

existing_coupon = Coupon.last
Coupon.new(existing_coupon.attributes)

With this PR the token is preserved. If we revert, a new token is generated. Thinking about it, generating a new token might even be what you would expect.

Just some thoughts. I'm fine with a revert here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@morgoth @senny @dhh @kaspth