From d36ddfe26c940b7820e866b87d18b425d206389f Mon Sep 17 00:00:00 2001
From: Yarden Shoham <git@yardenshoham.com>
Date: Wed, 26 Jul 2023 02:06:11 +0300
Subject: [PATCH] Fix CLI allowing creation of access tokens with existing name
 (#26071)

We are now:
- Making sure there is no existing access token with the same name
- Making sure the given scopes are valid (we already did this before but
now we have a message)

The logic is mostly taken from
https://github.com/go-gitea/gitea/blob/a12a5f3652c339b17b187ff424a480631a3c1e1e/routers/api/v1/user/app.go#L101-L123

Closes #26044

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
---
 cmd/admin_user_generate_access_token.go | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/cmd/admin_user_generate_access_token.go b/cmd/admin_user_generate_access_token.go
index 9971c2ec91..0febb91661 100644
--- a/cmd/admin_user_generate_access_token.go
+++ b/cmd/admin_user_generate_access_token.go
@@ -57,17 +57,28 @@ func runGenerateAccessToken(c *cli.Context) error {
 		return err
 	}
 
-	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
+	// construct token with name and user so we can make sure it is unique
+	t := &auth_model.AccessToken{
+		Name: c.String("token-name"),
+		UID:  user.ID,
+	}
+
+	exist, err := auth_model.AccessTokenByNameExists(t)
 	if err != nil {
 		return err
 	}
-
-	t := &auth_model.AccessToken{
-		Name:  c.String("token-name"),
-		UID:   user.ID,
-		Scope: accessTokenScope,
+	if exist {
+		return fmt.Errorf("access token name has been used already")
 	}
 
+	// make sure the scopes are valid
+	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
+	if err != nil {
+		return fmt.Errorf("invalid access token scope provided: %w", err)
+	}
+	t.Scope = accessTokenScope
+
+	// create the token
 	if err := auth_model.NewAccessToken(t); err != nil {
 		return err
 	}