Discard outdated encrypted_github_access_token on after_find

Otherwise dirty attribute tracking will try to decrypt it and
fail.

Author: byroot

app/models/shipit/user.rb

@@ -14,6 +14,9 @@ class User < Record
     validates :name, presence: true
 
     encrypts :encrypted_github_access_token
+    alias_attribute :github_access_token, :encrypted_github_access_token
+
+    after_find :discard_outdated_credentials!
 
     def self.find_or_create_by_login!(login)
       find_or_create_by!(login: login) do |user|
@@ -58,14 +61,6 @@ def self.refresh_shard(shard_index, shards_count)
       end
     end
 
-    alias_attribute :github_access_token, :encrypted_github_access_token
-    def github_access_token
-      encrypted_github_access_token
-    rescue ActiveRecord::Encryption::Errors::Decryption
-      update_columns(encrypted_github_access_token: nil)
-      nil
-    end
-
     def github_api
       return Shipit.github.api unless github_access_token
 
@@ -134,6 +129,16 @@ def requires_fresh_login?
 
     private
 
+    def discard_outdated_credentials!
+      if encrypted_github_access_token_before_type_cast.present?
+        begin
+          encrypted_github_access_token
+        rescue ActiveRecord::Encryption::Errors::Decryption
+          update_column(:encrypted_github_access_token, nil)
+        end
+      end
+    end
+
     def identify_renamed_user!
       last_commit = commits.last
       return unless last_commit

test/models/users_test.rb

@@ -217,18 +217,25 @@ class UsersTest < ActiveSupport::TestCase
 
     test "users with legacy encrypted access token get their token reset automatically" do
       legacy = shipit_users(:legacy)
-
-      assert_not_nil legacy.encrypted_github_access_token_before_type_cast
-
       assert_nil legacy.github_access_token
-      legacy.reload
-      assert_nil legacy.encrypted_github_access_token_before_type_cast
 
+      legacy.update!(github_access_token: 'ghu_t0k3n')
+      assert_equal 'ghu_t0k3n', legacy.github_access_token
+    end
+
+    test "users with legacy encrypted access token can be updated" do
+      legacy = shipit_users(:legacy)
       legacy.update!(github_access_token: 'ghu_t0k3n')
       legacy.reload
       assert_equal 'ghu_t0k3n', legacy.github_access_token
     end
 
+    test "users with legacy encrypted access token can have unrelated attributes updated" do
+      legacy = shipit_users(:legacy)
+      legacy.update!(name: 'Test')
+      assert_equal 'Test', legacy.name
+    end
+
     test "users are always logged_in?" do
       assert_predicate @user, :logged_in?
     end