From 51eae76dd663d23c1f4bb1e809e9c258e800cb73 Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew@mysociety.org>
Date: Wed, 10 Jun 2020 14:29:35 +0100
Subject: Only show access tokens once, and store hashed.

---
 t/app/controller/auth_profile.t | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 't/app/controller/auth_profile.t')

diff --git a/t/app/controller/auth_profile.t b/t/app/controller/auth_profile.t
index e5dfe2764..230e02d2b 100644
--- a/t/app/controller/auth_profile.t
+++ b/t/app/controller/auth_profile.t
@@ -417,16 +417,16 @@ subtest "Test generate token page" => sub {
         "submit generate token form"
     );
     $mech->content_contains( 'Your token has been generated', "token generated" );
+    my ($token) = $mech->content =~ /<span>(.*?)<\/span>/;
+    my @parts = split /-/, $token, 2;
+    is $parts[0], $user->id, 'token has user ID at start';
 
     $user->discard_changes();
-    my $token = $user->get_extra_metadata('access_token');
-    ok $token, 'access token set';
-
-    $mech->content_contains($token, 'access token displayed');
+    $user->password($user->get_extra_metadata('access_token'), 1);
+    ok $user->check_password($parts[1]), 'access token set';
 
     $mech->get_ok('/auth/generate_token');
-    $mech->content_contains('Current token:');
-    $mech->content_contains($token, 'access token displayed');
+    $mech->content_lacks($parts[1], 'access token not displayed');
     $mech->content_contains('If you generate a new token');
 
     $mech->log_out_ok;
-- 
cgit v1.2.3