only store hashed tokens

- use PasswordType - store first 4 bytes for filtering by prefix since we can't filter by equality on the hashed value. - user.new_foo_token() returns token string, not ORM object
2025-10-10 03:23:04 +00:00 · 2014-10-27 12:15:40 -07:00
parent 73706632d5
commit bce2be7401
6 changed files with 57 additions and 43 deletions
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -20,13 +20,8 @@ def auth_header(db, name):
    user = find_user(db, name)
    if user is None:
        user = add_user(db, name=name)
-    if not user.api_tokens:
-        token = user.new_api_token()
-        db.add(token)
-        db.commit()
-    else:
-        token = user.api_tokens[0]
-    return {'Authorization': 'token %s' % token.token}
+    token = user.new_api_token()
+    return {'Authorization': 'token %s' % token}

 def api_request(app, *api_path, **kwargs):
    """Make an API request"""
@@ -49,25 +44,22 @@ def test_auth_api(app):
    # make a new cookie token
    user = db.query(orm.User).first()
    api_token = user.new_api_token()
-    db.add(api_token)
    cookie_token = user.new_cookie_token()
-    db.add(cookie_token)
-    db.commit()
    
    # check success:
-    r = api_request(app, 'authorizations/token', api_token.token)
+    r = api_request(app, 'authorizations/token', api_token)
    assert r.status_code == 200
    reply = r.json()
    assert reply['user'] == user.name
    
    # check fail
-    r = api_request(app, 'authorizations/token', api_token.token,
+    r = api_request(app, 'authorizations/token', api_token,
        headers={'Authorization': 'no sir'},
    )
    assert r.status_code == 403

-    r = api_request(app, 'authorizations/token', api_token.token,
-        headers={'Authorization': 'token: %s' % cookie_token.token},
+    r = api_request(app, 'authorizations/token', api_token,
+        headers={'Authorization': 'token: %s' % cookie_token},
    )
    assert r.status_code == 403