18887: Fix salted_secret check. Add test.

[arvados.git] / services / api / app / models / api_client_authorization.rb

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 726061a4ab41e00cf2e89475ca7190ffd3c14b89..52922d32b1868fdb53d8bcd3f1197d149a93bb63 100644 (file)
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -131,7 +131,7 @@ class ApiClientAuthorization < ArvadosModel
     end
 
     # Usually, the secret is salted
-    salted_secret = OpenSSL::HMAC.hexdigest('sha1', secret, remote)
+    salted_secret = OpenSSL::HMAC.hexdigest('sha1', Rails.configuration.Users.AnonymousUserToken, remote)
 
     # The anonymous token could be specified as a full v2 token in the config,
     # but the config loader strips it down to the secret part.