1 files changed, 17 insertions, 3 deletions

diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 3d61339ba4e..1a1e165c50a 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -507,9 +507,9 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do
     end
 
     context 'automatic reuse detection' do
-      let_it_be(:token_3) { create(:personal_access_token, :revoked) }
-      let_it_be(:token_2) { create(:personal_access_token, :revoked, previous_personal_access_token_id: token_3.id) }
-      let_it_be(:token_1) { create(:personal_access_token, previous_personal_access_token_id: token_2.id) }
+      let(:token_3) { create(:personal_access_token, :revoked) }
+      let(:token_2) { create(:personal_access_token, :revoked, previous_personal_access_token_id: token_3.id) }
+      let(:token_1) { create(:personal_access_token, previous_personal_access_token_id: token_2.id) }
 
       context 'when a revoked token is used' do
         before do
@@ -523,6 +523,20 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do
 
           expect(token_1.reload).to be_revoked
         end
+
+        context 'when the feature flag is disabled' do
+          before do
+            stub_feature_flags(pat_reuse_detection: false)
+          end
+
+          it 'does not revoke the latest rotated token' do
+            expect(token_1).not_to be_revoked
+
+            expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::RevokedError)
+
+            expect(token_1.reload).not_to be_revoked
+          end
+        end
       end
     end
   end