diff options
author | 6543 <6543@obermui.de> | 2020-04-13 21:02:48 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-13 22:02:48 +0300 |
commit | ad5c43ae5d90dc92a5ce173894c72b5f6c248bc0 (patch) | |
tree | 7e19d9bd69dc739190d6c5f8cbead58a34c4b85e /models | |
parent | 980ef242519ff02d7c66f7ceac5b7d731bb9c1ec (diff) | |
download | gitea-ad5c43ae5d90dc92a5ce173894c72b5f6c248bc0.tar.gz gitea-ad5c43ae5d90dc92a5ce173894c72b5f6c248bc0.zip |
Reject duplicate AccessToken names (#10994)
* make sure duplicate token names cannot be used
* add check to api routes too
* add @lunny s suggestion
* fix & don't forget User.ID
* AccessTokenByNameExists() return error too
* unique token for each test
* fix lint
Signed-off-by: 6543 <6543@obermui.de>
Co-authored-by: Lanre Adelowo <yo@lanre.wtf>
Diffstat (limited to 'models')
-rw-r--r-- | models/token.go | 5 | ||||
-rw-r--r-- | models/token_test.go | 36 |
2 files changed, 41 insertions, 0 deletions
diff --git a/models/token.go b/models/token.go index 7ad9d41676..71a9f0975f 100644 --- a/models/token.go +++ b/models/token.go @@ -77,6 +77,11 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) { return nil, ErrAccessTokenNotExist{token} } +// AccessTokenByNameExists checks if a token name has been used already by a user. +func AccessTokenByNameExists(token *AccessToken) (bool, error) { + return x.Table("access_token").Where("name = ?", token.Name).And("uid = ?", token.UID).Exist() +} + // ListAccessTokens returns a list of access tokens belongs to given user. func ListAccessTokens(uid int64, listOptions ListOptions) ([]*AccessToken, error) { sess := x. diff --git a/models/token_test.go b/models/token_test.go index 45f50a1b82..572a5de609 100644 --- a/models/token_test.go +++ b/models/token_test.go @@ -27,6 +27,42 @@ func TestNewAccessToken(t *testing.T) { assert.Error(t, NewAccessToken(invalidToken)) } +func TestAccessTokenByNameExists(t *testing.T) { + + name := "Token Gitea" + + assert.NoError(t, PrepareTestDatabase()) + token := &AccessToken{ + UID: 3, + Name: name, + } + + // Check to make sure it doesn't exists already + exist, err := AccessTokenByNameExists(token) + assert.NoError(t, err) + assert.False(t, exist) + + // Save it to the database + assert.NoError(t, NewAccessToken(token)) + AssertExistsAndLoadBean(t, token) + + // This token must be found by name in the DB now + exist, err = AccessTokenByNameExists(token) + assert.NoError(t, err) + assert.True(t, exist) + + user4Token := &AccessToken{ + UID: 4, + Name: name, + } + + // Name matches but different user ID, this shouldn't exists in the + // database + exist, err = AccessTokenByNameExists(user4Token) + assert.NoError(t, err) + assert.False(t, exist) +} + func TestGetAccessTokenBySHA(t *testing.T) { assert.NoError(t, PrepareTestDatabase()) token, err := GetAccessTokenBySHA("d2c6c1ba3890b309189a8e618c72a162e4efbf36") |