From ad5c43ae5d90dc92a5ce173894c72b5f6c248bc0 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Mon, 13 Apr 2020 21:02:48 +0200
Subject: Reject duplicate AccessToken names (#10994)

* make sure duplicate token names cannot be used

* add check to api routes too

* add @lunny s suggestion

* fix & don't forget User.ID

* AccessTokenByNameExists() return error too

* unique token for each test

* fix lint

Signed-off-by: 6543 <6543@obermui.de>

Co-authored-by: Lanre Adelowo <yo@lanre.wtf>
---
 routers/api/v1/user/app.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'routers/api/v1')

diff --git a/routers/api/v1/user/app.go b/routers/api/v1/user/app.go
index 9ec506bcf2..f29572ef62 100644
--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@@ -6,6 +6,7 @@
 package user
 
 import (
+	"errors"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -89,6 +90,17 @@ func CreateAccessToken(ctx *context.APIContext, form api.CreateAccessTokenOption
 		UID:  ctx.User.ID,
 		Name: form.Name,
 	}
+
+	exist, err := models.AccessTokenByNameExists(t)
+	if err != nil {
+		ctx.InternalServerError(err)
+		return
+	}
+	if exist {
+		ctx.Error(http.StatusBadRequest, "AccessTokenByNameExists", errors.New("access token name has been used already"))
+		return
+	}
+
 	if err := models.NewAccessToken(t); err != nil {
 		ctx.Error(http.StatusInternalServerError, "NewAccessToken", err)
 		return
-- 
cgit v1.2.3