hashes device_secret lookup value

department-of-veterans-affairs · May 14, 2024 · 7439515 · 7439515
1 parent e438443
commit 7439515
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/app/services/sign_in/session_revoker.rb b/app/services/sign_in/session_revoker.rb
@@ -82,7 +82,8 @@ def delete_session!
     end
 
     def delete_device_sessions
-      sessions = OAuthSession.where(hashed_device_secret: device_secret)
+      hashed_device_secret = get_hash(device_secret)
+      sessions = OAuthSession.where(hashed_device_secret:)
       return if sessions.empty?
 
       sessions.each(&:destroy!)

diff --git a/spec/factories/sign_in/o_auth_sessions.rb b/spec/factories/sign_in/o_auth_sessions.rb
@@ -10,7 +10,7 @@
     refresh_creation { Time.zone.now }
     user_verification { create(:user_verification, user_account:) }
     credential_email { Faker::Internet.email }
-    hashed_device_secret { SecureRandom.hex }
+    hashed_device_secret {  Digest::SHA256.hexdigest(SecureRandom.hex) }
     user_attributes do
       { first_name: Faker::Name.first_name,
         last_name: Faker::Name.last_name,

diff --git a/spec/services/sign_in/session_revoker_spec.rb b/spec/services/sign_in/session_revoker_spec.rb
@@ -19,7 +19,7 @@
 
         context 'and other sessions exist with the same device_secret' do
           let!(:connected_session) do
-            create(:oauth_session, hashed_device_secret: device_secret)
+            create(:oauth_session, hashed_device_secret: Digest::SHA256.hexdigest(device_secret))
           end
 
           it 'destroys all other sessions with the same device_secret' do