From 51eae76dd663d23c1f4bb1e809e9c258e800cb73 Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew@mysociety.org>
Date: Wed, 10 Jun 2020 14:29:35 +0100
Subject: Only show access tokens once, and store hashed.

---
 t/app/controller/auth.t | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 't/app/controller/auth.t')

diff --git a/t/app/controller/auth.t b/t/app/controller/auth.t
index 24deb8cab..8b4b772fc 100644
--- a/t/app/controller/auth.t
+++ b/t/app/controller/auth.t
@@ -245,19 +245,20 @@ subtest "check logging in with token" => sub {
 
     my $user =  FixMyStreet::DB->resultset('User')->find( { email => $test_email } );
     # token needs to be 18 characters
-    $user->set_extra_metadata('access_token', '1234567890abcdefgh');
+    my $u = FixMyStreet::DB->resultset("User")->new({ password => '1234567890abcdefgh' });
+    $user->set_extra_metadata('access_token', $u->password);
     $user->update();
 
-    $mech->add_header('Authorization', 'Bearer 1234567890abcdefgh');
+    $mech->add_header('Authorization', 'Bearer ' . $user->id . '-1234567890abcdefgh');
     $mech->logged_in_ok;
 
     $mech->delete_header('Authorization');
     $mech->not_logged_in_ok;
 
-    $mech->get_ok('/auth/check_auth?access_token=1234567890abcdefgh');
+    $mech->get_ok('/auth/check_auth?access_token=' . $user->id . '-1234567890abcdefgh');
 
-    $mech->add_header('Authorization', 'Bearer 1234567890abcdefgh');
-    $user->set_extra_metadata('access_token', 'XXXXXXXXXXXXXXXXXX');
+    $mech->add_header('Authorization', 'Bearer ' . $user->id . '-1234567890abcdefgh');
+    $user->set_extra_metadata('access_token', '$2a$08$HNslSx7Uic7q6Ti5WYT5JOT6npYPwrwLnDMJMJoD22LIqG5TfDIKf');
     $user->update();
     $mech->not_logged_in_ok;
 
-- 
cgit v1.2.3