Every non-trivial change to tokenauth seems to open a can of worms. Some tests would be fantastic.

  1. When a token is appended, the user is authenticated.
  2. The user is authenticated to the user associated with the token, and not just any old user.
  3. The user is authenticated, and things like node_access respond. That is, if the user could view a given node, he can through token authentication as well. (Spaces & OG, I'm looking at you!)
  4. Reset token changes the token, and is immediately usable.
  5. The user's token is available on the user's Token Authentication profile tab.
  6. A user cannot see another user's token unless they are an administrator.

Undoubtedly more little test cases could be pieced together.