Validate that token is valid for patch request last token (lynndylanh…

…urley#1386)
HeadsUpHealth · Mar 30, 2020 · 4a103ed · 4a103ed
1 parent 4d2d702
commit 4a103ed
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb
@@ -137,17 +137,17 @@ def token_is_current?(token, client)
   def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
     updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
-    last_token = tokens[client]['last_token'] || tokens[client][:last_token]
+    last_token_hash = tokens[client]['last_token'] || tokens[client][:last_token]
 
     return true if (
       # ensure that the last token and its creation time exist
-      updated_at && last_token &&
+      updated_at && last_token_hash &&
 
       # ensure that previous token falls within the batch buffer throttle time of the last request
       updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
 
       # ensure that the token is valid
-      DeviseTokenAuth::TokenFactory.valid_token_hash?(last_token)
+      DeviseTokenAuth::TokenFactory.token_hash_is_token?(last_token_hash, token)
     )
   end