Merge pull request #2620 from alphagov/remove-regenerate-access-token…

…-button-for-api-user

Remove button for re-generating access token for API user

app/controllers/authorisations_controller.rb

@@ -29,19 +29,8 @@ def create
   def revoke
     authorisation = @api_user.authorisations.find(params[:id])
     if authorisation.revoke
-      if params[:regenerate]
-        regenerated_authorisation = @api_user.authorisations.create!(
-          expires_in: ApiUser::DEFAULT_TOKEN_LIFE,
-          application_id: authorisation.application_id,
-        )
-
-        EventLog.record_event(@api_user, EventLog::ACCESS_TOKEN_REGENERATED, initiator: current_user, application: authorisation.application, ip_address: user_ip_address)
-        flash[:authorisation] = { application_name: regenerated_authorisation.application.name,
-                                  token: regenerated_authorisation.token }
-      else
-        EventLog.record_event(@api_user, EventLog::ACCESS_TOKEN_REVOKED, initiator: current_user, application: authorisation.application, ip_address: user_ip_address)
-        flash[:notice] = "Access for #{authorisation.application.name} was revoked"
-      end
+      EventLog.record_event(@api_user, EventLog::ACCESS_TOKEN_REVOKED, initiator: current_user, application: authorisation.application, ip_address: user_ip_address)
+      flash[:notice] = "Access for #{authorisation.application.name} was revoked"
     else
       flash[:error] = "There was an error while revoking access for #{authorisation.application.name}"
     end

app/models/event_log.rb

@@ -30,7 +30,7 @@ class EventLog < ApplicationRecord
     TWO_STEP_CHANGE_FAILED = LogEntry.new(id: 25, description: "2-step verification phone change failed", require_uid: true),
     TWO_STEP_PROMPT_DEFERRED = LogEntry.new(id: 26, description: "2-step prompt deferred", require_uid: true),
     API_USER_CREATED = LogEntry.new(id: 27, description: "Account created", require_uid: true, require_initiator: true),
-    ACCESS_TOKEN_REGENERATED = LogEntry.new(id: 28, description: "Access token re-generated", require_uid: true, require_application: true),
+    ACCESS_TOKEN_REGENERATED = LogEntry.new(id: 28, description: "Access token re-generated", require_uid: true, require_application: true), # deprecated
     ACCESS_TOKEN_GENERATED = LogEntry.new(id: 29, description: "Access token generated", require_uid: true, require_application: true, require_initiator: true),
     ACCESS_TOKEN_REVOKED = LogEntry.new(id: 30, description: "Access token revoked", require_uid: true, require_application: true, require_initiator: true),
     PASSWORD_RESET_LOADED_BUT_TOKEN_EXPIRED = LogEntry.new(id: 31, description: "Password reset page loaded but the token has expired", require_uid: true),

app/views/api_users/manage_tokens.html.erb

@@ -49,9 +49,6 @@
         </td>
         <td>
           <div class="btn-group">
-            <%= form_tag(revoke_api_user_authorisation_path(@api_user.id, authorisation.id, regenerate: true), method: "post") do %>
-            <%= submit_tag("Re-generate", class: "btn btn-default") %>
-            <% end %>
             <%= form_tag(revoke_api_user_authorisation_path(@api_user.id, authorisation.id), method: "post") do %>
             <%= submit_tag("Revoke", class: "btn btn-default") %>
             <% end %>

test/controllers/api_users_controller_test.rb

@@ -190,21 +190,6 @@ class ApiUsersControllerTest < ActionController::TestCase
         end
       end
 
-      should "show button for regenerating API user's access token for an application" do
-        application = create(:application)
-        token = create(:access_token, resource_owner_id: @api_user.id, application:)
-
-        get :manage_tokens, params: { id: @api_user }
-
-        regenerate_token_path = revoke_api_user_authorisation_path(@api_user, token, regenerate: true)
-
-        assert_select "table#authorisations tbody td", text: application.name do |td|
-          assert_select td.first.parent, "form[action='#{regenerate_token_path}']" do
-            assert_select "input[type='submit']", value: "Re-generate"
-          end
-        end
-      end
-
       should "show button for revoking API user's access token for an application" do
         application = create(:application)
         token = create(:access_token, resource_owner_id: @api_user.id, application:)

test/integration/manage_api_users_test.rb

@@ -101,21 +101,6 @@ class ManageApiUsersTest < ActionDispatch::IntegrationTest
       assert page.has_text?("Access token revoked for #{@application.name} by #{@superadmin.name}")
     end
 
-    should "be able to regenerate application access token for an API user which should get recorded in event log" do
-      click_link @api_user.name
-      click_link "Manage tokens"
-
-      assert page.has_selector?("td:first-child", text: @application.name)
-      click_button "Re-generate"
-
-      assert page.has_selector?("div.alert-danger", text: "Make sure to copy the access token for #{@application.name} now. You won't be able to see it again!")
-      assert page.has_selector?("div.alert-info", text: "Access token for #{@application.name}: #{@api_user.authorisations.last.token}")
-
-      click_link @api_user.name
-      click_link "View account access log"
-      assert page.has_text?("Access token re-generated for #{@application.name} by #{@superadmin.name}")
-    end
-
     should "be able to suspend and unsuspend API user" do
       click_link @api_user.name
       click_link "Suspend user"

test/models/event_log_test.rb

@@ -100,7 +100,7 @@ class EventLogTest < ActiveSupport::TestCase
 
   test "records the application associated with the event passed as an option" do
     application = create(:application)
-    EventLog.record_event(create(:user), EventLog::ACCESS_TOKEN_REGENERATED, application:)
+    EventLog.record_event(create(:user), EventLog::SUCCESSFUL_PASSWORD_RESET, application:)
 
     assert_equal application, EventLog.last.application
   end