Add latest changes from gitlab-org/gitlab@master

1 files changed, 47 insertions, 0 deletions

diff --git a/spec/models/oauth_access_token_spec.rb b/spec/models/oauth_access_token_spec.rb
index 2d617e0c7b3..544f6643712 100644
--- a/spec/models/oauth_access_token_spec.rb
+++ b/spec/models/oauth_access_token_spec.rb
@@ -22,4 +22,51 @@ RSpec.describe OauthAccessToken do
       end
     end
   end
+
+  describe 'Doorkeeper secret storing' do
+    it 'stores the token in hashed format' do
+      expect(token.token).not_to eq(token.plaintext_token)
+    end
+
+    it 'does not allow falling back to plaintext token comparison' do
+      expect(described_class.by_token(token.token)).to be_nil
+    end
+
+    it 'finds a token by plaintext token' do
+      expect(described_class.by_token(token.plaintext_token)).to be_a(OauthAccessToken)
+    end
+
+    context 'when the token is stored in plaintext' do
+      let(:plaintext_token) { Devise.friendly_token(20) }
+
+      before do
+        token.update_column(:token, plaintext_token)
+      end
+
+      it 'falls back to plaintext token comparison' do
+        expect(described_class.by_token(plaintext_token)).to be_a(OauthAccessToken)
+      end
+    end
+
+    context 'when hash_oauth_secrets is disabled' do
+      let(:hashed_token) { create(:oauth_access_token, application_id: app_one.id) }
+
+      before do
+        hashed_token
+        stub_feature_flags(hash_oauth_tokens: false)
+      end
+
+      it 'stores the token in plaintext' do
+        expect(token.token).to eq(token.plaintext_token)
+      end
+
+      it 'finds a token by plaintext token' do
+        expect(described_class.by_token(token.plaintext_token)).to be_a(OauthAccessToken)
+      end
+
+      it 'does not find a token that was previously stored as hashed' do
+        expect(described_class.by_token(hashed_token.plaintext_token)).to be_nil
+      end
+    end
+  end
 end