Skip to content

Commit e47df0b

Browse files
beeonthegotechknowlogick
beeonthego
authored and
techknowlogick
committed
Enforce token on api routes [fixed critical security issue #4357] (#4840)
1 parent 387a4b0 commit e47df0b

17 files changed

+131
-89
lines changed

integrations/api_admin_test.go

+13-7
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,8 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
2121
session := loginUser(t, "user1")
2222
keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
2323

24-
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", keyOwner.Name)
24+
token := getTokenForLoggedInUser(t, session)
25+
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
2526
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
2627
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
2728
"title": "test-key",
@@ -38,7 +39,7 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
3839
OwnerID: keyOwner.ID,
3940
})
4041

41-
req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d",
42+
req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
4243
keyOwner.Name, newPublicKey.ID)
4344
session.MakeRequest(t, req, http.StatusNoContent)
4445
models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})
@@ -49,7 +50,8 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
4950
// user1 is an admin user
5051
session := loginUser(t, "user1")
5152

52-
req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d", models.NonexistentID)
53+
token := getTokenForLoggedInUser(t, session)
54+
req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token="+token, models.NonexistentID)
5355
session.MakeRequest(t, req, http.StatusNotFound)
5456
}
5557

@@ -59,7 +61,8 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
5961
normalUsername := "user2"
6062
session := loginUser(t, adminUsername)
6163

62-
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", adminUsername)
64+
token := getTokenForLoggedInUser(t, session)
65+
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)
6366
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
6467
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
6568
"title": "test-key",
@@ -69,7 +72,8 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
6972
DecodeJSON(t, resp, &newPublicKey)
7073

7174
session = loginUser(t, normalUsername)
72-
req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d",
75+
token = getTokenForLoggedInUser(t, session)
76+
req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
7377
adminUsername, newPublicKey.ID)
7478
session.MakeRequest(t, req, http.StatusForbidden)
7579
}
@@ -79,8 +83,9 @@ func TestAPISudoUser(t *testing.T) {
7983
adminUsername := "user1"
8084
normalUsername := "user2"
8185
session := loginUser(t, adminUsername)
86+
token := getTokenForLoggedInUser(t, session)
8287

83-
urlStr := fmt.Sprintf("/api/v1/user?sudo=%s", normalUsername)
88+
urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)
8489
req := NewRequest(t, "GET", urlStr)
8590
resp := session.MakeRequest(t, req, http.StatusOK)
8691
var user api.User
@@ -95,8 +100,9 @@ func TestAPISudoUserForbidden(t *testing.T) {
95100
normalUsername := "user2"
96101

97102
session := loginUser(t, normalUsername)
103+
token := getTokenForLoggedInUser(t, session)
98104

99-
urlStr := fmt.Sprintf("/api/v1/user?sudo=%s", adminUsername)
105+
urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)
100106
req := NewRequest(t, "GET", urlStr)
101107
session.MakeRequest(t, req, http.StatusForbidden)
102108
}

integrations/api_branch_test.go

+2-1
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,8 @@ func testAPIGetBranch(t *testing.T, branchName string, exists bool) {
1717
prepareTestEnv(t)
1818

1919
session := loginUser(t, "user2")
20-
req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branches/%s", branchName)
20+
token := getTokenForLoggedInUser(t, session)
21+
req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branches/%s?token=%s", branchName, token)
2122
resp := session.MakeRequest(t, req, NoExpectedStatus)
2223
if !exists {
2324
assert.EqualValues(t, http.StatusNotFound, resp.Code)

integrations/api_comment_test.go

+9-6
Original file line numberDiff line numberDiff line change
@@ -69,8 +69,9 @@ func TestAPICreateComment(t *testing.T) {
6969
repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
7070

7171
session := loginUser(t, repoOwner.Name)
72-
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments",
73-
repoOwner.Name, repo.Name, issue.Index)
72+
token := getTokenForLoggedInUser(t, session)
73+
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
74+
repoOwner.Name, repo.Name, issue.Index, token)
7475
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
7576
"body": commentBody,
7677
})
@@ -93,8 +94,9 @@ func TestAPIEditComment(t *testing.T) {
9394
repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
9495

9596
session := loginUser(t, repoOwner.Name)
96-
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d",
97-
repoOwner.Name, repo.Name, comment.ID)
97+
token := getTokenForLoggedInUser(t, session)
98+
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
99+
repoOwner.Name, repo.Name, comment.ID, token)
98100
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
99101
"body": newCommentBody,
100102
})
@@ -117,8 +119,9 @@ func TestAPIDeleteComment(t *testing.T) {
117119
repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
118120

119121
session := loginUser(t, repoOwner.Name)
120-
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d",
121-
repoOwner.Name, repo.Name, comment.ID)
122+
token := getTokenForLoggedInUser(t, session)
123+
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
124+
repoOwner.Name, repo.Name, comment.ID, token)
122125
session.MakeRequest(t, req, http.StatusNoContent)
123126

124127
models.AssertNotExistsBean(t, &models.Comment{ID: comment.ID})

integrations/api_gpg_keys_test.go

+37-35
Original file line numberDiff line numberDiff line change
@@ -20,16 +20,18 @@ type makeRequestFunc func(testing.TB, *http.Request, int) *httptest.ResponseReco
2020
func TestGPGKeys(t *testing.T) {
2121
prepareTestEnv(t)
2222
session := loginUser(t, "user2")
23+
token := getTokenForLoggedInUser(t, session)
2324

2425
tt := []struct {
2526
name string
2627
makeRequest makeRequestFunc
28+
token string
2729
results []int
2830
}{
29-
{name: "NoLogin", makeRequest: MakeRequest,
31+
{name: "NoLogin", makeRequest: MakeRequest, token: "",
3032
results: []int{http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized},
3133
},
32-
{name: "LoggedAsUser2", makeRequest: session.MakeRequest,
34+
{name: "LoggedAsUser2", makeRequest: session.MakeRequest, token: token,
3335
results: []int{http.StatusOK, http.StatusOK, http.StatusNotFound, http.StatusNoContent, http.StatusInternalServerError, http.StatusInternalServerError, http.StatusCreated, http.StatusCreated}},
3436
}
3537

@@ -38,29 +40,29 @@ func TestGPGKeys(t *testing.T) {
3840
//Basic test on result code
3941
t.Run(tc.name, func(t *testing.T) {
4042
t.Run("ViewOwnGPGKeys", func(t *testing.T) {
41-
testViewOwnGPGKeys(t, tc.makeRequest, tc.results[0])
43+
testViewOwnGPGKeys(t, tc.makeRequest, tc.token, tc.results[0])
4244
})
4345
t.Run("ViewGPGKeys", func(t *testing.T) {
44-
testViewGPGKeys(t, tc.makeRequest, tc.results[1])
46+
testViewGPGKeys(t, tc.makeRequest, tc.token, tc.results[1])
4547
})
4648
t.Run("GetGPGKey", func(t *testing.T) {
47-
testGetGPGKey(t, tc.makeRequest, tc.results[2])
49+
testGetGPGKey(t, tc.makeRequest, tc.token, tc.results[2])
4850
})
4951
t.Run("DeleteGPGKey", func(t *testing.T) {
50-
testDeleteGPGKey(t, tc.makeRequest, tc.results[3])
52+
testDeleteGPGKey(t, tc.makeRequest, tc.token, tc.results[3])
5153
})
5254

5355
t.Run("CreateInvalidGPGKey", func(t *testing.T) {
54-
testCreateInvalidGPGKey(t, tc.makeRequest, tc.results[4])
56+
testCreateInvalidGPGKey(t, tc.makeRequest, tc.token, tc.results[4])
5557
})
5658
t.Run("CreateNoneRegistredEmailGPGKey", func(t *testing.T) {
57-
testCreateNoneRegistredEmailGPGKey(t, tc.makeRequest, tc.results[5])
59+
testCreateNoneRegistredEmailGPGKey(t, tc.makeRequest, tc.token, tc.results[5])
5860
})
5961
t.Run("CreateValidGPGKey", func(t *testing.T) {
60-
testCreateValidGPGKey(t, tc.makeRequest, tc.results[6])
62+
testCreateValidGPGKey(t, tc.makeRequest, tc.token, tc.results[6])
6163
})
6264
t.Run("CreateValidSecondaryEmailGPGKey", func(t *testing.T) {
63-
testCreateValidSecondaryEmailGPGKey(t, tc.makeRequest, tc.results[7])
65+
testCreateValidSecondaryEmailGPGKey(t, tc.makeRequest, tc.token, tc.results[7])
6466
})
6567
})
6668
}
@@ -70,7 +72,7 @@ func TestGPGKeys(t *testing.T) {
7072

7173
var keys []*api.GPGKey
7274

73-
req := NewRequest(t, "GET", "/api/v1/user/gpg_keys") //GET all keys
75+
req := NewRequest(t, "GET", "/api/v1/user/gpg_keys?token="+token) //GET all keys
7476
resp := session.MakeRequest(t, req, http.StatusOK)
7577
DecodeJSON(t, resp, &keys)
7678

@@ -91,21 +93,21 @@ func TestGPGKeys(t *testing.T) {
9193
assert.EqualValues(t, false, primaryKey2.Emails[0].Verified)
9294

9395
var key api.GPGKey
94-
req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey1.ID, 10)) //Primary key 1
96+
req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey1.ID, 10)+"?token="+token) //Primary key 1
9597
resp = session.MakeRequest(t, req, http.StatusOK)
9698
DecodeJSON(t, resp, &key)
9799
assert.EqualValues(t, "38EA3BCED732982C", key.KeyID)
98100
assert.EqualValues(t, 1, len(key.Emails))
99101
assert.EqualValues(t, "user2@example.com", key.Emails[0].Email)
100102
assert.EqualValues(t, true, key.Emails[0].Verified)
101103

102-
req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(subKey.ID, 10)) //Subkey of 38EA3BCED732982C
104+
req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(subKey.ID, 10)+"?token="+token) //Subkey of 38EA3BCED732982C
103105
resp = session.MakeRequest(t, req, http.StatusOK)
104106
DecodeJSON(t, resp, &key)
105107
assert.EqualValues(t, "70D7C694D17D03AD", key.KeyID)
106108
assert.EqualValues(t, 0, len(key.Emails))
107109

108-
req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey2.ID, 10)) //Primary key 2
110+
req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey2.ID, 10)+"?token="+token) //Primary key 2
109111
resp = session.MakeRequest(t, req, http.StatusOK)
110112
DecodeJSON(t, resp, &key)
111113
assert.EqualValues(t, "FABF39739FE1E927", key.KeyID)
@@ -119,63 +121,63 @@ func TestGPGKeys(t *testing.T) {
119121
t.Run("CheckCommits", func(t *testing.T) {
120122
t.Run("NotSigned", func(t *testing.T) {
121123
var branch api.Branch
122-
req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/not-signed")
124+
req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/not-signed?token="+token)
123125
resp := session.MakeRequest(t, req, http.StatusOK)
124126
DecodeJSON(t, resp, &branch)
125127
assert.EqualValues(t, false, branch.Commit.Verification.Verified)
126128
})
127129

128130
t.Run("SignedWithNotValidatedEmail", func(t *testing.T) {
129131
var branch api.Branch
130-
req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign-not-yet-validated")
132+
req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign-not-yet-validated?token="+token)
131133
resp := session.MakeRequest(t, req, http.StatusOK)
132134
DecodeJSON(t, resp, &branch)
133135
assert.EqualValues(t, false, branch.Commit.Verification.Verified)
134136
})
135137

136138
t.Run("SignedWithValidEmail", func(t *testing.T) {
137139
var branch api.Branch
138-
req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign")
140+
req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign?token="+token)
139141
resp := session.MakeRequest(t, req, http.StatusOK)
140142
DecodeJSON(t, resp, &branch)
141143
assert.EqualValues(t, true, branch.Commit.Verification.Verified)
142144
})
143145
})
144146
}
145147

146-
func testViewOwnGPGKeys(t *testing.T, makeRequest makeRequestFunc, expected int) {
147-
req := NewRequest(t, "GET", "/api/v1/user/gpg_keys")
148+
func testViewOwnGPGKeys(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
149+
req := NewRequest(t, "GET", "/api/v1/user/gpg_keys?token="+token)
148150
makeRequest(t, req, expected)
149151
}
150152

151-
func testViewGPGKeys(t *testing.T, makeRequest makeRequestFunc, expected int) {
152-
req := NewRequest(t, "GET", "/api/v1/users/user2/gpg_keys")
153+
func testViewGPGKeys(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
154+
req := NewRequest(t, "GET", "/api/v1/users/user2/gpg_keys?token="+token)
153155
makeRequest(t, req, expected)
154156
}
155157

156-
func testGetGPGKey(t *testing.T, makeRequest makeRequestFunc, expected int) {
157-
req := NewRequest(t, "GET", "/api/v1/user/gpg_keys/1")
158+
func testGetGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
159+
req := NewRequest(t, "GET", "/api/v1/user/gpg_keys/1?token="+token)
158160
makeRequest(t, req, expected)
159161
}
160162

161-
func testDeleteGPGKey(t *testing.T, makeRequest makeRequestFunc, expected int) {
162-
req := NewRequest(t, "DELETE", "/api/v1/user/gpg_keys/1")
163+
func testDeleteGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
164+
req := NewRequest(t, "DELETE", "/api/v1/user/gpg_keys/1?token="+token)
163165
makeRequest(t, req, expected)
164166
}
165167

166-
func testCreateGPGKey(t *testing.T, makeRequest makeRequestFunc, expected int, publicKey string) {
167-
req := NewRequestWithJSON(t, "POST", "/api/v1/user/gpg_keys", api.CreateGPGKeyOption{
168+
func testCreateGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int, publicKey string) {
169+
req := NewRequestWithJSON(t, "POST", "/api/v1/user/gpg_keys?token="+token, api.CreateGPGKeyOption{
168170
ArmoredKey: publicKey,
169171
})
170172
makeRequest(t, req, expected)
171173
}
172174

173-
func testCreateInvalidGPGKey(t *testing.T, makeRequest makeRequestFunc, expected int) {
174-
testCreateGPGKey(t, makeRequest, expected, "invalid_key")
175+
func testCreateInvalidGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
176+
testCreateGPGKey(t, makeRequest, token, expected, "invalid_key")
175177
}
176178

177-
func testCreateNoneRegistredEmailGPGKey(t *testing.T, makeRequest makeRequestFunc, expected int) {
178-
testCreateGPGKey(t, makeRequest, expected, `-----BEGIN PGP PUBLIC KEY BLOCK-----
179+
func testCreateNoneRegistredEmailGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
180+
testCreateGPGKey(t, makeRequest, token, expected, `-----BEGIN PGP PUBLIC KEY BLOCK-----
179181
180182
mQENBFmGUygBCACjCNbKvMGgp0fd5vyFW9olE1CLCSyyF9gQN2hSuzmZLuAZF2Kh
181183
dCMCG2T1UwzUB/yWUFWJ2BtCwSjuaRv+cGohqEy6bhEBV90peGA33lHfjx7wP25O
@@ -194,9 +196,9 @@ INx/MmBfmtCq05FqNclvU+sj2R3N1JJOtBOjZrJHQbJhzoILou8AkxeX1A+q9OAz
194196
-----END PGP PUBLIC KEY BLOCK-----`)
195197
}
196198

197-
func testCreateValidGPGKey(t *testing.T, makeRequest makeRequestFunc, expected int) {
199+
func testCreateValidGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
198200
//User2 <user2@example.com> //primary & activated
199-
testCreateGPGKey(t, makeRequest, expected, `-----BEGIN PGP PUBLIC KEY BLOCK-----
201+
testCreateGPGKey(t, makeRequest, token, expected, `-----BEGIN PGP PUBLIC KEY BLOCK-----
200202
201203
mQENBFmGVsMBCACuxgZ7W7rI9xN08Y4M7B8yx/6/I4Slm94+wXf8YNRvAyqj30dW
202204
VJhyBcnfNRDLKSQp5o/hhfDkCgdqBjLa1PnHlGS3PXJc0hP/FyYPD2BFvNMPpCYS
@@ -228,9 +230,9 @@ uy6MA3VSB99SK9ducGmE1Jv8mcziREroz2TEGr0zPs6h
228230
-----END PGP PUBLIC KEY BLOCK-----`)
229231
}
230232

231-
func testCreateValidSecondaryEmailGPGKey(t *testing.T, makeRequest makeRequestFunc, expected int) {
233+
func testCreateValidSecondaryEmailGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
232234
//User2 <user21@example.com> //secondary and not activated
233-
testCreateGPGKey(t, makeRequest, expected, `-----BEGIN PGP PUBLIC KEY BLOCK-----
235+
testCreateGPGKey(t, makeRequest, token, expected, `-----BEGIN PGP PUBLIC KEY BLOCK-----
234236
235237
mQENBFmGWN4BCAC18V4tVGO65VLCV7p14FuXJlUtZ5CuYMvgEkcOqrvRaBSW9ao4
236238
PGESOhJpfWpnW3QgJniYndLzPpsmdHEclEER6aZjiNgReWPOjHD5tykWocZAJqXD

integrations/api_issue_label_test.go

+8-6
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,13 @@ func TestAPIAddIssueLabels(t *testing.T) {
2323
label := models.AssertExistsAndLoadBean(t, &models.Label{RepoID: repo.ID}).(*models.Label)
2424
owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
2525

26-
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels",
27-
owner.Name, repo.Name, issue.Index)
26+
session := loginUser(t, owner.Name)
27+
token := getTokenForLoggedInUser(t, session)
28+
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
29+
owner.Name, repo.Name, issue.Index, token)
2830
req := NewRequestWithJSON(t, "POST", urlStr, &api.IssueLabelsOption{
2931
Labels: []int64{label.ID},
3032
})
31-
session := loginUser(t, owner.Name)
3233
resp := session.MakeRequest(t, req, http.StatusOK)
3334
var apiLabels []*api.Label
3435
DecodeJSON(t, resp, &apiLabels)
@@ -45,12 +46,13 @@ func TestAPIReplaceIssueLabels(t *testing.T) {
4546
label := models.AssertExistsAndLoadBean(t, &models.Label{RepoID: repo.ID}).(*models.Label)
4647
owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
4748

48-
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels",
49-
owner.Name, repo.Name, issue.Index)
49+
session := loginUser(t, owner.Name)
50+
token := getTokenForLoggedInUser(t, session)
51+
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
52+
owner.Name, repo.Name, issue.Index, token)
5053
req := NewRequestWithJSON(t, "PUT", urlStr, &api.IssueLabelsOption{
5154
Labels: []int64{label.ID},
5255
})
53-
session := loginUser(t, owner.Name)
5456
resp := session.MakeRequest(t, req, http.StatusOK)
5557
var apiLabels []*api.Label
5658
DecodeJSON(t, resp, &apiLabels)

integrations/api_issue_test.go

+5-4
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,9 @@ func TestAPIListIssues(t *testing.T) {
2222
owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
2323

2424
session := loginUser(t, owner.Name)
25-
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues?state=all",
26-
owner.Name, repo.Name)
25+
token := getTokenForLoggedInUser(t, session)
26+
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues?state=all&token=%s",
27+
owner.Name, repo.Name, token)
2728
resp := session.MakeRequest(t, req, http.StatusOK)
2829
var apiIssues []*api.Issue
2930
DecodeJSON(t, resp, &apiIssues)
@@ -41,8 +42,8 @@ func TestAPICreateIssue(t *testing.T) {
4142
owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
4243

4344
session := loginUser(t, owner.Name)
44-
45-
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all", owner.Name, repo.Name)
45+
token := getTokenForLoggedInUser(t, session)
46+
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repo.Name, token)
4647
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
4748
Body: body,
4849
Title: title,

integrations/api_keys_test.go

+4-4
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,8 @@ func TestCreateReadOnlyDeployKey(t *testing.T) {
4646
repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
4747

4848
session := loginUser(t, repoOwner.Name)
49-
50-
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys", repoOwner.Name, repo.Name)
49+
token := getTokenForLoggedInUser(t, session)
50+
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
5151
rawKeyBody := api.CreateKeyOption{
5252
Title: "read-only",
5353
Key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
@@ -72,8 +72,8 @@ func TestCreateReadWriteDeployKey(t *testing.T) {
7272
repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
7373

7474
session := loginUser(t, repoOwner.Name)
75-
76-
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys", repoOwner.Name, repo.Name)
75+
token := getTokenForLoggedInUser(t, session)
76+
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
7777
rawKeyBody := api.CreateKeyOption{
7878
Title: "read-write",
7979
Key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsufOCrDDlT8DLkodnnJtbq7uGflcPae7euTfM+Laq4So+v4WeSV362Rg0O/+Sje1UthrhN6lQkfRkdWIlCRQEXg+LMqr6RhvDfZquE2Xwqv/itlz7LjbdAUdYoO1iH7rMSmYvQh4WEnC/DAacKGbhdGIM/ZBz0z6tHm7bPgbI9ykEKekTmPwQFP1Qebvf5NYOFMWqQ2sCEAI9dBMVLoojsIpV+KADf+BotiIi8yNfTG2rzmzpxBpW9fYjd1Sy1yd4NSUpoPbEJJYJ1TrjiSWlYOVq9Ar8xW1O87i6gBjL/3zN7ANeoYhaAXupdOS6YL22YOK/yC0tJtXwwdh/eSrh",

0 commit comments

Comments
 (0)