Implement @DouweM's feedback.

- Extract a duplicated `redirect_to`
- Fix a typo: "token", not "certificate"
- Have the "Expires at" datepicker be attached to a text field, not inline
- Have both private tokens and personal access tokens verified in a
  single "authenticate_from_private_token" method, both in the
  application and API. Move relevant logic to
  `User#find_by_personal_access_token`
- Remove unnecessary constants relating to API auth. We don't need a
  separate constant for personal access tokens since the param is the
  same as for private tokens.

2 files changed, 10 insertions, 18 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a5b358f10f1..72d1b97bf56 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,7 +8,7 @@ class ApplicationController < ActionController::Base
   include PageLayoutHelper
   include WorkhorseHelper
 
-  before_action :authenticate_user_from_token!
+  before_action :authenticate_user_from_private_token!
   before_action :authenticate_user!
   before_action :validate_user_service_ticket!
   before_action :reject_blocked!
@@ -64,8 +64,11 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def authenticate_user_from_token!
-    user = get_user_from_private_token || get_user_from_personal_access_token
+  # This filter handles both private tokens and personal access tokens
+  def authenticate_user_from_private_token!
+    token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
+    user = User.find_by_authentication_token(token_string) || User.find_by_personal_access_token(token_string)
+
     if user
       # Notice we are passing store false, so the user is not
       # actually stored in the session and a token is needed
@@ -376,17 +379,4 @@ class ApplicationController < ActionController::Base
     (controller_name == 'groups' && action_name == page_type) ||
     (controller_name == 'dashboard' && action_name == page_type)
   end
-
-  # From https://github.com/plataformatec/devise/wiki/How-To:-Simple-Token-Authentication-Example
-  # https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
-  def get_user_from_private_token
-    user_token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
-    User.find_by_authentication_token(user_token.to_s) if user_token
-  end
-
-  def get_user_from_personal_access_token
-    token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
-    personal_access_token = PersonalAccessToken.active.find_by_token(token_string) if token_string
-    personal_access_token.user if personal_access_token
-  end
 end
diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb
index 86e08fed8e2..508b82a9a6c 100644
--- a/app/controllers/profiles/personal_access_tokens_controller.rb
+++ b/app/controllers/profiles/personal_access_tokens_controller.rb
@@ -21,10 +21,12 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
     @personal_access_token = current_user.personal_access_tokens.find(params[:id])
 
     if @personal_access_token.revoke!
-      redirect_to profile_personal_access_tokens_path, notice: "Revoked personal access token #{@personal_access_token.name}!"
+      flash[:notice] = "Revoked personal access token #{@personal_access_token.name}!"
     else
-      redirect_to profile_personal_access_tokens_path, alert: "Could not revoke personal access token #{@personal_access_token.name}."
+      flash[:alert] = "Could not revoke personal access token #{@personal_access_token.name}."
     end
+
+    redirect_to profile_personal_access_tokens_path
   end
 
   private