Skip to content

Commit 08adbc4

Browse files
KN4CK3Rlunny
KN4CK3R
and
lunny
authored
Fix incorrect /tokens api (#32085)
Fixes #32078 - Add missing scopes output. - Disallow empty scope. --------- Co-authored-by: Lunny Xiao <[email protected]>
1 parent aa9faf8 commit 08adbc4

File tree

2 files changed

+16
-20
lines changed

2 files changed

+16
-20
lines changed

routers/api/v1/user/app.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,10 @@ func CreateAccessToken(ctx *context.APIContext) {
118118
ctx.Error(http.StatusBadRequest, "AccessTokenScope.Normalize", fmt.Errorf("invalid access token scope provided: %w", err))
119119
return
120120
}
121+
if scope == "" {
122+
ctx.Error(http.StatusBadRequest, "AccessTokenScope", "access token must have a scope")
123+
return
124+
}
121125
t.Scope = scope
122126

123127
if err := auth_model.NewAccessToken(ctx, t); err != nil {
@@ -129,6 +133,7 @@ func CreateAccessToken(ctx *context.APIContext) {
129133
Token: t.Token,
130134
ID: t.ID,
131135
TokenLastEight: t.TokenLastEight,
136+
Scopes: t.Scope.StringSlice(),
132137
})
133138
}
134139

tests/integration/api_token_test.go

Lines changed: 11 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,10 @@ func TestAPICreateAndDeleteToken(t *testing.T) {
2323
defer tests.PrepareTestEnv(t)()
2424
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
2525

26-
newAccessToken := createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user, nil)
26+
newAccessToken := createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
2727
deleteAPIAccessToken(t, newAccessToken, user)
2828

29-
newAccessToken = createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user, nil)
29+
newAccessToken = createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
3030
deleteAPIAccessToken(t, newAccessToken, user)
3131
}
3232

@@ -72,19 +72,19 @@ func TestAPIDeleteTokensPermission(t *testing.T) {
7272
user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
7373

7474
// admin can delete tokens for other users
75-
createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user2, nil)
75+
createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user2, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
7676
req := NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-1").
7777
AddBasicAuth(admin.Name)
7878
MakeRequest(t, req, http.StatusNoContent)
7979

8080
// non-admin can delete tokens for himself
81-
createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user2, nil)
81+
createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user2, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
8282
req = NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-2").
8383
AddBasicAuth(user2.Name)
8484
MakeRequest(t, req, http.StatusNoContent)
8585

8686
// non-admin can't delete tokens for other users
87-
createAPIAccessTokenWithoutCleanUp(t, "test-key-3", user2, nil)
87+
createAPIAccessTokenWithoutCleanUp(t, "test-key-3", user2, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})
8888
req = NewRequest(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-3").
8989
AddBasicAuth(user4.Name)
9090
MakeRequest(t, req, http.StatusForbidden)
@@ -520,7 +520,7 @@ func runTestCase(t *testing.T, testCase *requiredScopeTestCase, user *user_model
520520
unauthorizedScopes = append(unauthorizedScopes, cateogoryUnauthorizedScopes...)
521521
}
522522

523-
accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-token", user, &unauthorizedScopes)
523+
accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-token", user, unauthorizedScopes)
524524
defer deleteAPIAccessToken(t, accessToken, user)
525525

526526
// Request the endpoint. Verify that permission is denied.
@@ -532,20 +532,12 @@ func runTestCase(t *testing.T, testCase *requiredScopeTestCase, user *user_model
532532

533533
// createAPIAccessTokenWithoutCleanUp Create an API access token and assert that
534534
// creation succeeded. The caller is responsible for deleting the token.
535-
func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *user_model.User, scopes *[]auth_model.AccessTokenScope) api.AccessToken {
535+
func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *user_model.User, scopes []auth_model.AccessTokenScope) api.AccessToken {
536536
payload := map[string]any{
537-
"name": tokenName,
538-
}
539-
if scopes != nil {
540-
for _, scope := range *scopes {
541-
scopes, scopesExists := payload["scopes"].([]string)
542-
if !scopesExists {
543-
scopes = make([]string, 0)
544-
}
545-
scopes = append(scopes, string(scope))
546-
payload["scopes"] = scopes
547-
}
537+
"name": tokenName,
538+
"scopes": scopes,
548539
}
540+
549541
log.Debug("Requesting creation of token with scopes: %v", scopes)
550542
req := NewRequestWithJSON(t, "POST", "/api/v1/users/"+user.LoginName+"/tokens", payload).
551543
AddBasicAuth(user.Name)
@@ -563,8 +555,7 @@ func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *us
563555
return newAccessToken
564556
}
565557

566-
// createAPIAccessTokenWithoutCleanUp Delete an API access token and assert that
567-
// deletion succeeded.
558+
// deleteAPIAccessToken deletes an API access token and assert that deletion succeeded.
568559
func deleteAPIAccessToken(t *testing.T, accessToken api.AccessToken, user *user_model.User) {
569560
req := NewRequestf(t, "DELETE", "/api/v1/users/"+user.LoginName+"/tokens/%d", accessToken.ID).
570561
AddBasicAuth(user.Name)

0 commit comments

Comments
 (0)