Fix tests

jlledom · jlledom · commit e58951cbd20f · 2026-03-10T14:10:40.000+01:00
diff --git a/test/integration/by_access_token_integration_test.rb b/test/integration/by_access_token_integration_test.rb
@@ -91,18 +91,8 @@ def test_index_with_access_token
     get admin_api_accounts_path(format: :xml), params: { access_token: legacy_value }
 
     assert_response :success
-    # Token should be migrated to hashed value
-    assert_equal AccessToken::HASHED_TOKEN_LENGTH, token.reload.read_attribute(:value).length
-  end
-
-  test 'authentication with legacy unmigrated token migrates the token' do
-    token = FactoryBot.create(:access_token, owner: @user, scopes: 'account_management')
-    legacy_value = 'legacy_plaintext_token_for_integration'
-    token.update_columns(value: legacy_value)
-
-    get admin_api_accounts_path(format: :xml), params: { access_token: legacy_value }
-
-    assert_equal AccessToken::HASHED_TOKEN_LENGTH, token.reload.read_attribute(:value).length
+    # No migration: DB value remains unchanged
+    assert_equal legacy_value, token.reload.read_attribute(:value)
   end
 
   test 'authentication with leaked database hash fails' do
@@ -116,8 +106,8 @@ def test_index_with_access_token
     # Get the actual hash stored in the database
     leaked_hash = token.reload.read_attribute(:value)
 
-    # Verify we have a 96-char hash
-    assert_equal AccessToken::HASHED_TOKEN_LENGTH, leaked_hash.length
+    # Verify the stored value has our prefix
+    assert leaked_hash.start_with?(AccessToken::DIGEST_PREFIX)
 
     # An attacker trying to use the leaked hash directly should be blocked
     get admin_api_accounts_path(format: :xml), params: { access_token: leaked_hash }
diff --git a/test/models/access_token_test.rb b/test/models/access_token_test.rb
@@ -110,7 +110,7 @@ def test_find_from_value_finds_new_token_by_digest
     found = AccessToken.find_from_value(@token.plaintext_value)
 
     assert_equal @token.id, found&.id
-    assert_equal AccessToken::HASHED_TOKEN_LENGTH, @token.reload.read_attribute(:value).length
+    assert @token.reload.read_attribute(:value).start_with?(AccessToken::DIGEST_PREFIX)
   end
 
   def test_find_from_value_finds_legacy_token
@@ -120,26 +120,18 @@ def test_find_from_value_finds_legacy_token
     found = AccessToken.find_from_value(legacy_value)
 
     assert_equal @token.id, found&.id
-  end
-
-  def test_find_from_value_migrates_legacy_token_to_hash
-    legacy_value = 'legacy_plaintext_token_value_64chars'
-    @token.update_columns(value: legacy_value)
-
-    AccessToken.find_from_value(legacy_value)
-
-    assert_equal AccessToken::HASHED_TOKEN_LENGTH, @token.reload.read_attribute(:value).length
-    assert_equal AccessToken.compute_digest(legacy_value), @token.read_attribute(:value)
+    # No migration: DB value remains unchanged
+    assert_equal legacy_value, @token.reload.read_attribute(:value)
   end
 
   def test_find_from_value_rejects_leaked_hash_as_token
-    leaked_hash = @token.reload.read_attribute(:value)
+    stored_hash = @token.reload.read_attribute(:value)
 
-    # Verify the hash is 96 chars (our security boundary)
-    assert_equal AccessToken::HASHED_TOKEN_LENGTH, leaked_hash.length
+    # Verify the DB value has our prefix
+    assert stored_hash.start_with?(AccessToken::DIGEST_PREFIX)
 
     # An attacker with access to the DB hash should NOT be able to authenticate
-    found = AccessToken.find_from_value(leaked_hash)
+    found = AccessToken.find_from_value(stored_hash)
 
     assert_nil found, "Security vulnerability: leaked hash was accepted as a valid token"
   end
