From: Tom Clegg <tom@tomclegg.ca>
Date: Wed, 18 Nov 2020 15:02:40 +0000 (-0500)
Subject: 17106: Comment on stored_secret behavior.
X-Git-Tag: 2.2.0~216^2~5
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/998f990baafdd07501d801d063c7ed6b21feec6a

17106: Comment on stored_secret behavior.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>
---

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 1c1c669deb..6b308a231c 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -345,6 +345,11 @@ class ApiClientAuthorization < ArvadosModel
         auth.user = user
         auth.api_client_id = 0
       end
+      # If stored_secret is set, we save stored_secret in the database
+      # but return the real secret to the caller. This way, if we end
+      # up returning the auth record to the client, they see the same
+      # secret they supplied, instead of the HMAC we saved in the
+      # database.
       stored_secret = stored_secret || secret
       auth.update_attributes!(user: user,
                               api_token: stored_secret,