From 51eae76dd663d23c1f4bb1e809e9c258e800cb73 Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew@mysociety.org>
Date: Wed, 10 Jun 2020 14:29:35 +0100
Subject: Only show access tokens once, and store hashed.

---
 perllib/FixMyStreet/App/Controller/Auth/Profile.pm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'perllib/FixMyStreet/App/Controller/Auth/Profile.pm')

diff --git a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
index a89c6f539..a5dc5d3e7 100644
--- a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
@@ -188,9 +188,10 @@ sub generate_token : Path('/auth/generate_token') {
 
         if ($c->get_param('generate_token')) {
             my $token = mySociety::AuthToken::random_token();
-            $c->user->set_extra_metadata('access_token', $token);
+            my $u = FixMyStreet::DB->resultset("User")->new({ password => $token });
+            $c->user->set_extra_metadata('access_token', $u->password);
             $c->user->update;
-            $c->stash->{token_generated} = 1;
+            $c->stash->{token_generated} = $c->user->id . '-' . $token;
         }
 
         my $action = $c->get_param('2fa_action') || '';
@@ -224,7 +225,7 @@ sub generate_token : Path('/auth/generate_token') {
     }
 
     $c->stash->{has_2fa} = $has_2fa ? 1 : 0;
-    $c->stash->{existing_token} = $c->user->get_extra_metadata('access_token');
+    $c->stash->{existing_token} = $c->user->get_extra_metadata('access_token') ? 1 : 0;
 }
 
 __PACKAGE__->meta->make_immutable;
-- 
cgit v1.2.3