From 0925035a3e85da99ea65f892f208851eb123385d Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 28 Dec 2022 15:14:31 +0000 Subject: [PATCH 1/1] Add tests to ensure tokens are revoked This ensures that tokens are revoked or invalidated when a user is soft destroyed. --- test/models/user_test.rb | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/test/models/user_test.rb b/test/models/user_test.rb index 72e1ca5d9..50615233f 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -258,4 +258,28 @@ class UserTest < ActiveSupport::TestCase assert_not user.visible? assert_not user.active? end + + def test_soft_destroy_revokes_access_tokens + user = create(:user) + access_token = create(:access_token, :user => user) + assert_equal 1, user.oauth_tokens.authorized.count + + user.soft_destroy + + assert_equal 0, user.oauth_tokens.authorized.count + access_token.reload + assert_predicate access_token, :invalidated? + end + + def test_soft_destroy_revokes_oauth_access_tokens + user = create(:user) + oauth_access_token = create(:oauth_access_token, :resource_owner_id => user.id) + assert_equal 1, user.access_tokens.not_expired.count + + user.soft_destroy + + assert_equal 0, user.access_tokens.not_expired.count + oauth_access_token.reload + assert_predicate oauth_access_token, :revoked? + end end -- 2.39.5