-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not overwrite secret token value when already present. #18918
Do not overwrite secret token value when already present. #18918
Conversation
``` user = User.create(token: "custom-secure-token") user.token # => "custom-secure-token" ```
@@ -22,4 +22,11 @@ def test_regenerating_the_secure_token | |||
assert_not_equal @user.token, old_token | |||
assert_not_equal @user.auth_token, old_auth_token | |||
end | |||
|
|||
def test_token_value_not_overwritten_when_present |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The callback used to generate a token is triggered before creating a record. Your test uses an existing record and the callback won't be triggered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nope - @user
is a new instance of model User
as you can see in setup: https://github.com/morgoth/rails/blob/do-not-overwrite-value-of-secret-token-when-present/activerecord/test/cases/secure_token_test.rb#L6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, the diff hid that :)
@morgoth this looks reasonable. Thank you for your contribution 💛 |
…et-token-when-present Do not overwrite secret token value when already present.
@senny I just realized that |
`has_secure_token` hasen't been released yet. No need to track every change in the CHANGELOG.
Can you explain the specific use case you have for this? |
@dhh In example: discount coupons table with token as part of url. Admin can set fixed token for some specific users. |
I see. I think that design muddies the waters of what "has_secure_token" means. These manually set values do not fulfill that description. It won't be what it says on the tin. I would recommend that you have a separate method, like maybe slug, that will look for Happy to consider other examples until we find one that can't be restated better without changing has_secure_token.
|
I don't have a specific use-case either that would require this behavior. One thing to think about is what happens when assigning the attributes of one-record to a new one. For example in the case of serialization or cloning. existing_coupon = Coupon.last
Coupon.new(existing_coupon.attributes) With this PR the token is preserved. If we revert, a new token is generated. Thinking about it, generating a new token might even be what you would expect. Just some thoughts. I'm fine with a revert here. |
I'm aware that
has_secure_token
is a simple method that shouldn't fit in all possible use cases, but this change is very small and adds some flexibility.Previously it was little unexpected to get
User.create(token: "custom").token #=> "some-random-string"