From 3a06cb461ececab5e2054e7cc76bf782ffd8cd6e Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 4 May 2018 10:11:58 +1000
Subject: [PATCH] FEATURE: remove support for legacy auth tokens

---
 app/models/user_auth_token.rb                 |  9 +++++----
 db/fixtures/009_users.rb                      | 11 ++++++++++
 ...20180504000531_remove_legacy_auth_token.rb |  5 +++++
 .../default_current_user_provider_spec.rb     | 20 -------------------
 spec/models/user_auth_token_spec.rb           |  8 +-------
 5 files changed, 22 insertions(+), 31 deletions(-)
 create mode 100644 db/migrate/20180504000531_remove_legacy_auth_token.rb

diff --git a/app/models/user_auth_token.rb b/app/models/user_auth_token.rb
index 045fc2f9d43..57eeaca8882 100644
--- a/app/models/user_auth_token.rb
+++ b/app/models/user_auth_token.rb
@@ -4,6 +4,9 @@ require 'digest/sha1'
 class UserAuthToken < ActiveRecord::Base
   belongs_to :user
 
+  # TODO 2019: remove this line
+  self.ignored_columns = ["legacy"]
+
   ROTATE_TIME = 10.minutes
   # used when token did not arrive at client
   URGENT_ROTATE_TIME = 1.minute
@@ -48,9 +51,8 @@ class UserAuthToken < ActiveRecord::Base
     expire_before = SiteSetting.maximum_session_age.hours.ago
 
     user_token = find_by("(auth_token = :token OR
-                          prev_auth_token = :token OR
-                          (auth_token = :unhashed_token AND legacy)) AND rotated_at > :expire_before",
-                          token: token, unhashed_token: unhashed_token, expire_before: expire_before)
+                          prev_auth_token = :token) AND rotated_at > :expire_before",
+                          token: token, expire_before: expire_before)
 
     if !user_token
 
@@ -180,7 +182,6 @@ end
 #  prev_auth_token :string           not null
 #  user_agent      :string
 #  auth_token_seen :boolean          default(FALSE), not null
-#  legacy          :boolean          default(FALSE), not null
 #  client_ip       :inet
 #  rotated_at      :datetime         not null
 #  created_at      :datetime         not null
diff --git a/db/fixtures/009_users.rb b/db/fixtures/009_users.rb
index b0f83d0f9c9..fb6f6ee5bab 100644
--- a/db/fixtures/009_users.rb
+++ b/db/fixtures/009_users.rb
@@ -94,6 +94,17 @@ Migration::ColumnDropper.drop(
   }
 )
 
+Migration::ColumnDropper.drop(
+  table: 'user_auth_tokens',
+  after_migration: 'RemoveLegacyAuthToken',
+  columns: %w[
+    legacy
+  ],
+  on_drop: ->() {
+    STDERR.puts 'Removing user_auth_token legacy column!'
+  }
+)
+
 # User for the smoke tests
 if ENV["SMOKE"] == "1"
   UserEmail.seed do |ue|
diff --git a/db/migrate/20180504000531_remove_legacy_auth_token.rb b/db/migrate/20180504000531_remove_legacy_auth_token.rb
new file mode 100644
index 00000000000..19c785fb437
--- /dev/null
+++ b/db/migrate/20180504000531_remove_legacy_auth_token.rb
@@ -0,0 +1,5 @@
+class RemoveLegacyAuthToken < ActiveRecord::Migration[5.1]
+  def change
+    # placeholder so we can drop column in 009_users.rb
+  end
+end
diff --git a/spec/components/auth/default_current_user_provider_spec.rb b/spec/components/auth/default_current_user_provider_spec.rb
index 288a1206435..a66d0d9f771 100644
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@@ -169,26 +169,6 @@ describe Auth::DefaultCurrentUserProvider do
     expect(provider("/topic/anything/goes", method: "GET").should_update_last_seen?).to eq(true)
   end
 
-  it "correctly supports legacy tokens" do
-    user = Fabricate(:user)
-    token = SecureRandom.hex(16)
-    user_token = UserAuthToken.create!(user_id: user.id, auth_token: token,
-                                       prev_auth_token: token, legacy: true,
-                                       rotated_at: Time.zone.now
-                                      )
-
-    prov = provider("/", "HTTP_COOKIE" => "_t=#{user_token.auth_token}")
-    expect(prov.current_user.id).to eq(user.id)
-
-    # sets a new token up cause it got a global token
-    cookies = {}
-    prov.refresh_session(user, {}, cookies)
-    user.reload
-
-    expect(user.user_auth_tokens.count).to eq(2)
-    expect(cookies["_t"][:value]).not_to eq(token)
-  end
-
   it "correctly rotates tokens" do
     SiteSetting.maximum_session_age = 3
     user = Fabricate(:user)
diff --git a/spec/models/user_auth_token_spec.rb b/spec/models/user_auth_token_spec.rb
index ffe003c43d5..e9f8923522b 100644
--- a/spec/models/user_auth_token_spec.rb
+++ b/spec/models/user_auth_token_spec.rb
@@ -31,7 +31,7 @@ describe UserAuthToken do
 
   end
 
-  it "can lookup both hashed and unhashed" do
+  it "can lookup hashed" do
     user = Fabricate(:user)
 
     token = UserAuthToken.generate!(user_id: user.id,
@@ -45,12 +45,6 @@ describe UserAuthToken do
     lookup_token = UserAuthToken.lookup(token.auth_token)
 
     expect(lookup_token).to eq(nil)
-
-    token.update_columns(legacy: true)
-
-    lookup_token = UserAuthToken.lookup(token.auth_token)
-
-    expect(user.id).to eq(lookup_token.user.id)
   end
 
   it "can validate token was seen at lookup time" do