gitea/tests/integration/api_token_self_test.go

// Copyright 2026 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package integration

import (
	"net/http"
	"testing"

	auth_model "gitea.dev/models/auth"
	"gitea.dev/models/unittest"
	user_model "gitea.dev/models/user"
	api "gitea.dev/modules/structs"
	"gitea.dev/tests"

	"github.com/stretchr/testify/assert"
)

// TestAPIGetCurrentToken tests getting metadata of the currently authenticated token
func TestAPIGetCurrentToken(t *testing.T) {
	defer tests.PrepareTestEnv(t)()

	t.Run("Success with all scopes", func(t *testing.T) {
		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-get-current-token-all", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})

		req := NewRequest(t, "GET", "/api/v1/token").
			AddTokenAuth(accessToken.Token)
		resp := MakeRequest(t, req, http.StatusOK)

		currentToken := DecodeJSON(t, resp, &api.CurrentAccessToken{})
		assert.Equal(t, accessToken.ID, currentToken.ID)
		assert.Equal(t, accessToken.Name, currentToken.Name)
		assert.Equal(t, user.ID, currentToken.User.ID)
		assert.Equal(t, user.Name, currentToken.User.Login)
	})

	t.Run("Success with limited scopes", func(t *testing.T) {
		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-get-current-token-limited", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadRepository})

		req := NewRequest(t, "GET", "/api/v1/token").
			AddTokenAuth(accessToken.Token)
		resp := MakeRequest(t, req, http.StatusOK)

		currentToken := DecodeJSON(t, resp, &api.CurrentAccessToken{})
		assert.Equal(t, accessToken.ID, currentToken.ID)
		assert.Equal(t, accessToken.Name, currentToken.Name)
		assert.Equal(t, user.ID, currentToken.User.ID)
		assert.Equal(t, user.Name, currentToken.User.Login)
	})

	t.Run("Bad token", func(t *testing.T) {
		req := NewRequest(t, "GET", "/api/v1/token").
			AddTokenAuth("this does not exist")
		MakeRequest(t, req, http.StatusUnauthorized)

		req = NewRequest(t, "GET", "/api/v1/token")
		MakeRequest(t, req, http.StatusUnauthorized)
	})
}

// TestAPITokenSelfService tests delete operations on token
func TestAPITokenSelfService(t *testing.T) {
	defer tests.PrepareTestEnv(t)()

	t.Run("Success then verify deleted", func(t *testing.T) {
		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-delete-current-token", user, []auth_model.AccessTokenScope{auth_model.AccessTokenScopeAll})

		// Delete the token via the endpoint
		req := NewRequest(t, "DELETE", "/api/v1/token").
			AddTokenAuth(accessToken.Token)
		MakeRequest(t, req, http.StatusNoContent)

		// Verify the token is deleted
		unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: accessToken.ID})

		// Verify the token can no longer be used for GET
		req = NewRequest(t, "GET", "/api/v1/token").
			AddTokenAuth(accessToken.Token)
		MakeRequest(t, req, http.StatusUnauthorized)

		// Verify the token can no longer be used for DELETE
		req = NewRequest(t, "DELETE", "/api/v1/token").
			AddTokenAuth(accessToken.Token)
		MakeRequest(t, req, http.StatusUnauthorized)
	})

	t.Run("Bad token", func(t *testing.T) {
		req := NewRequest(t, "DELETE", "/api/v1/token").
			AddTokenAuth("this does not exist")
		MakeRequest(t, req, http.StatusUnauthorized)

		req = NewRequest(t, "DELETE", "/api/v1/token")
		MakeRequest(t, req, http.StatusUnauthorized)
	})
}