Redmine

  class << self

    attr_reader :actions

    def add_action(name, options)

      options.assert_valid_keys(:max_instances, :validity_time)

      @actions ||= {}

      @actions[name.to_s] = options

    end

  end

  add_action :api,       max_instances: 1,  validity_time: nil

  add_action :autologin, max_instances: 10, validity_time: Proc.new { Setting.autologin.to_i.days }

  add_action :feeds,     max_instances: 1,  validity_time: nil

  add_action :recovery,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }

  add_action :register,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }

  add_action :session,   max_instances: 10, validity_time: nil

    return created_on < self.class.invalid_when_created_before(action)

  end

  def max_instances

    Token.actions.has_key?(action) ? Token.actions[action][:max_instances] : 1

  end

  def self.invalid_when_created_before(action = nil)

    if Token.actions.has_key?(action)

      validity_time = Token.actions[action][:validity_time]

      validity_time = validity_time.call(action) if validity_time.respond_to? :call

    else

      validity_time = self.validity_time

    end

    if validity_time.nil?

      0

    else

      Time.now - validity_time

    end

    t = Token.arel_table

    # Unknown actions have default validity_time

    condition = t[:action].not_in(self.actions.keys).and(t[:created_on].lt(invalid_when_created_before))

    self.actions.each do |action, options|

      validity_time = invalid_when_created_before(action)

      # Do not delete tokens, which don't become invalid

      next if validity_time.nil?

      condition = condition.or(

        t[:action].eq(action).and(t[:created_on].lt(validity_time))

      )

    end

    Token.where(condition).delete_all

      if max_instances > 1

        ids = scope.order(:updated_on => :desc).offset(max_instances - 1).ids

    t1 = Token.create(:user => user, :action => 'register')

    t2 = Token.create(:user => user, :action => 'register')

  def test_create_session_or_autologin_token_should_keep_last_10_tokens

    ["autologin", "session"].each do |action|

      assert_difference 'Token.count', 10 do

        10.times { Token.create!(:user => user, :action => action) }

      end

      assert_no_difference 'Token.count' do

        Token.create!(:user => user, :action => action)

      end

  def test_destroy_expired_should_not_destroy_session_feeds_and_api_tokens

    Token.create!(:user_id => 1, :action => 'session', :created_on => 7.days.ago)

    # Expiration of autologin tokens is determined by Setting.autologin

    Setting.autologin = "7"

    Token.create!(:user_id => 2, :action => 'autologin', :created_on => 3.weeks.ago)

    Token.create!(:user_id => 3, :action => 'autologin', :created_on => 3.days.ago)

    # Expiration of register and recovery tokens is determined by Token.validity_time

    Token.create!(:user_id => 1, :action => 'register', :created_on => 7.days.ago)

    Token.create!(:user_id => 3, :action => 'register', :created_on => 7.hours.ago)

    Token.create!(:user_id => 2, :action => 'recovery', :created_on => 3.days.ago)

    Token.create!(:user_id => 3, :action => 'recovery', :created_on => 3.hours.ago)

    # Expiration of tokens with unknown action is determined by Token.validity_time

    Token.create!(:user_id => 2, :action => 'unknown_action', :created_on => 2.days.ago)

    Token.create!(:user_id => 3, :action => 'unknown_action', :created_on => 2.hours.ago)

    assert_difference 'Token.count', -4 do

      assert_equal 4, Token.destroy_expired