let's use safe ids instead of the default couch ones

Couch uses partly random partly sequential ids by default. We could
change that in couch config to be all random. But this is probably more
safe.

2 files changed, 20 insertions, 0 deletions

diff --git a/users/app/models/token.rb b/users/app/models/token.rb
index 9de6850..44a6dfe 100644
--- a/users/app/models/token.rb
+++ b/users/app/models/token.rb
@@ -6,5 +6,12 @@ class Token < CouchRest::Model::Base
 
   validates :user_id, presence: true
 
+  def initialize(*args)
+    super
+    self.id = SecureRandom.urlsafe_base64(32)
+  end
+
+  design do
+  end
 end
 
diff --git a/users/test/unit/token_test.rb b/users/test/unit/token_test.rb
index d409265..bff6b71 100644
--- a/users/test/unit/token_test.rb
+++ b/users/test/unit/token_test.rb
@@ -16,6 +16,19 @@ class ClientCertificateTest < ActiveSupport::TestCase
     assert_equal @user.id, sample.user_id
   end
 
+  test "token id is secure" do
+    sample = Token.new(:user_id => @user.id)
+    other = Token.new(:user_id => @user.id)
+    assert sample.id,
+      "id is set on initialization"
+    assert sample.id[0..10] != other.id[0..10],
+      "token id prefixes should not repeat"
+    assert /[g-zG-Z]/.match(sample.id),
+      "should use non hex chars in the token id"
+    assert sample.id.size > 16,
+      "token id should be more than 16 chars long"
+  end
+
   test "token checks for user" do
     sample = Token.new
     assert !sample.valid?, "Token should require a user record"