chore: turn some user-facing string literals into constants

gwossum · gwossum · commit 9be258d9e5b7 · 2025-07-23T17:33:16.000-05:00
diff --git a/authorization/hasher.go b/authorization/hasher.go
@@ -27,6 +27,9 @@ type AuthorizationHasher struct {
 const (
 	DefaultHashVariant     = influxdb2_algo.VariantSHA256
 	DefaultHashVariantName = influxdb2_algo.VariantIdentifierSHA256
+
+	// HashVariantNameUnknown is the placeholder name used for unknown or unsupported hash variants.
+	HashVariantNameUnknown = "N/A"
 )
 
 type authorizationHasherOptions struct {
@@ -113,7 +116,7 @@ func (h *AuthorizationHasher) AllHashes(token string) ([]string, error) {
 	for idx, hasher := range h.allHashers {
 		digest, err := hasher.Hash(token)
 		if err != nil {
-			variantName := "N/A"
+			variantName := HashVariantNameUnknown
 			if influxdb_hasher, ok := hasher.(*influxdb2_algo.Hasher); ok {
 				variantName = influxdb_hasher.Variant().Prefix()
 			}
diff --git a/authorization/storage.go b/authorization/storage.go
@@ -106,6 +106,14 @@ token value. Raw token values are returned as in previous versions.
 
 ---*/
 
+const (
+	// TokenRedactedMessage is the user facing message used when a hashed token is redacted.
+	TokenRedactedMessage = "REDACTED"
+
+	// TokenNotAvailableMessage is the user facing message when no token is available, plaintext or hashed.
+	TokenNotAvailableMessage = "N/A"
+)
+
 const MaxIDGenerationN = 100
 const ReservedIDs = 1000
 
diff --git a/authorization/storage_authorization.go b/authorization/storage_authorization.go
@@ -65,6 +65,9 @@ func (s *Store) encodeAuthorization(a *influxdb.Authorization) ([]byte, error) {
 	// raw tokens if hashing is enabled.
 	if s.useHashedTokens {
 		// Redact a copy, not the original. The raw Token value is still needed by the caller in some cases.
+		// Note that this is an empty string, not TokenRedactedMessage. TokenRedactedMessage is only used for
+		// user-facing output. The empty string signals that the plaintext token is not available and that
+		// the hashed token should be used instead.
 		redactedAuth := *a
 		redactedAuth.Token = ""
 		a = &redactedAuth
diff --git a/cmd/influxd/recovery/auth/auth.go b/cmd/influxd/recovery/auth/auth.go
@@ -221,9 +221,9 @@ func PrintAuth(ctx context.Context, w io.Writer, v []*influxdb.Authorization, us
 		if t.Token != "" {
 			token = t.Token
 		} else if t.HashedToken != "" {
-			token = "REDACTED"
+			token = authorization.TokenRedactedMessage
 		} else {
-			token = "N/A"
+			token = authorization.TokenNotAvailableMessage
 		}
 		row := map[string]interface{}{
 			"ID":          t.ID,
