4 files changed, 24 insertions, 25 deletions

diff --git a/perllib/Catalyst/Authentication/Credential/AccessToken.pm b/perllib/Catalyst/Authentication/Credential/AccessToken.pm
index 7827c936d..24398823d 100644
--- a/perllib/Catalyst/Authentication/Credential/AccessToken.pm
+++ b/perllib/Catalyst/Authentication/Credential/AccessToken.pm
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use base 'Class::Accessor::Fast';
 
-__PACKAGE__->mk_accessors(qw(token_field token_lookup));
+__PACKAGE__->mk_accessors(qw(token_field));
 
 our $VERSION = "0.01";
 
@@ -23,21 +23,23 @@ sub authenticate {
     $token ||= $c->get_param('access_token');
     return unless $token;
 
-    my $field = $self->token_field || 'access_token';
+    my $id;
+    ($id, $token) = split /-/, $token, 2;
+    return unless $id =~ /^[1-9]\d*$/;
 
-    my $value = $token;
-    if (my $lookup = $self->token_lookup) {
-        $value = {};
-        foreach (keys %$lookup) {
-            my $v = $lookup->{$_};
-            $v =~ s/TOKEN/$token/;
-            $value->{$_} = $v;
-        }
-    }
-    my $user_obj = $realm->find_user({ $field => $value }, $c);
-    if (ref $user_obj) {
+    my $user_obj = $realm->find_user({ id => $id }, $c);
+    if (ref($user_obj) && $self->check_token($user_obj, $token)) {
         return $user_obj;
     }
+    return;
+}
+
+sub check_token {
+    my ($self, $user, $token) = @_;
+
+    my $field = $self->token_field || 'access_token';
+    my $value = $user->$field;
+    return $user->_column_encoders->{password}->($token, $value) eq $value;
 }
 
 __PACKAGE__;
@@ -102,12 +104,6 @@ depending on the storage class used, but is most likely something like
 'access_token'. In fact, this is so common that if this is left out of the
 config, it defaults to 'access_token'.
 
-=item token_lookup
-
-If the token isn't a field on its own, but contained within another field, you
-can provide a custom lookup here, where the string TOKEN in a value will be
-replaced by the access token.
-
 =back
 
 =head1 USAGE
diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm
index 4ca6f23cb..638fcc4e4 100644
--- a/perllib/FixMyStreet/App.pm
+++ b/perllib/FixMyStreet/App.pm
@@ -101,9 +101,6 @@ __PACKAGE__->config(
             use_session => 0,
             credential => {
                 class => 'AccessToken',
-                token_field => 'extra',
-                # This means the token has to be 18 characters long (as generated by AuthToken)
-                token_lookup => { like => "%access_token,T18:TOKEN,%" },
             },
             store => $store,
         },
diff --git a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
index a89c6f539..a5dc5d3e7 100644
--- a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
@@ -188,9 +188,10 @@ sub generate_token : Path('/auth/generate_token') {
 
         if ($c->get_param('generate_token')) {
             my $token = mySociety::AuthToken::random_token();
-            $c->user->set_extra_metadata('access_token', $token);
+            my $u = FixMyStreet::DB->resultset("User")->new({ password => $token });
+            $c->user->set_extra_metadata('access_token', $u->password);
             $c->user->update;
-            $c->stash->{token_generated} = 1;
+            $c->stash->{token_generated} = $c->user->id . '-' . $token;
         }
 
         my $action = $c->get_param('2fa_action') || '';
@@ -224,7 +225,7 @@ sub generate_token : Path('/auth/generate_token') {
     }
 
     $c->stash->{has_2fa} = $has_2fa ? 1 : 0;
-    $c->stash->{existing_token} = $c->user->get_extra_metadata('access_token');
+    $c->stash->{existing_token} = $c->user->get_extra_metadata('access_token') ? 1 : 0;
 }
 
 __PACKAGE__->meta->make_immutable;
diff --git a/perllib/FixMyStreet/DB/Result/User.pm b/perllib/FixMyStreet/DB/Result/User.pm
index 49338f245..e5be14abf 100644
--- a/perllib/FixMyStreet/DB/Result/User.pm
+++ b/perllib/FixMyStreet/DB/Result/User.pm
@@ -179,6 +179,11 @@ sub check_password {
     }
 }
 
+sub access_token {
+    my $self = shift;
+    return $self->get_extra_metadata('access_token');
+}
+
 around password => sub {
     my ($orig, $self) = (shift, shift);
     if (@_) {