Reset insecure token when setting an encrypted one

app/models/concerns/token_authenticatable_strategies/encrypted.rb

@@ -24,13 +24,16 @@ module TokenAuthenticatableStrategies
       # using factory bot to create resources, it might happen that a database
       # schema does not have "#{token_name}_encrypted" field yet, however a bunch
       # of models call `ensure_#{token_name}` in `before_save`.
+      #
+      # In that case we are using insecure strategy, but this should only happen
+      # in tests, because otherwise `encrypted_field` is going to exist.
 
       return super if instance.has_attribute?(encrypted_field)
 
       if fallback?
         fallback_strategy.ensure_token(instance)
       else
-        raise ArgumentError, 'Encrypted field does not exist without fallback'
+        raise ArgumentError, 'No fallback defined when encrypted field is missing!'
       end
     end
 
@@ -45,6 +48,7 @@ module TokenAuthenticatableStrategies
       raise ArgumentError unless token.present?
 
       instance[encrypted_field] = Gitlab::CryptoHelper.aes256_gcm_encrypt(token)
+      instance[token_field] = nil
       token
     end
 

spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb

@@ -63,6 +63,8 @@ describe TokenAuthenticatableStrategies::Encrypted do
     it 'writes encrypted token to a model instance and returns it' do
       expect(instance).to receive(:[]=)
         .with('some_field_encrypted', encrypted)
+      expect(instance).to receive(:[]=)
+        .with('some_field', nil)
 
       expect(subject.set_token(instance, 'my-value')).to eq 'my-value'
     end