Require explicit scopes on personal access tokens

Gitlab::Auth and API::APIGuard already check for at least one valid
scope on personal access tokens, so if the scopes are empty the token
will always fail validation.

1 files changed, 11 insertions, 3 deletions

diff --git a/spec/models/personal_access_token_spec.rb b/spec/models/personal_access_token_spec.rb
index 4cc9cf02e6d..50f61ec18fd 100644
--- a/spec/models/personal_access_token_spec.rb
+++ b/spec/models/personal_access_token_spec.rb
@@ -13,19 +13,27 @@ describe PersonalAccessToken, models: true do
     end
   end
 
-  describe 'validate_scopes' do
+  context "validations" do
+    let(:personal_access_token) { build(:personal_access_token) }
+
+    it "requires at least one scope" do
+      personal_access_token.scopes = []
+
+      expect(personal_access_token).not_to be_valid
+      expect(personal_access_token.errors[:scopes].first).to eq "can't be blank"
+    end
+
     it "allows creating a token with API scopes" do
-      personal_access_token = build(:personal_access_token)
       personal_access_token.scopes = [:api, :read_user]
 
       expect(personal_access_token).to be_valid
     end
 
     it "rejects creating a token with non-API scopes" do
-      personal_access_token = build(:personal_access_token)
       personal_access_token.scopes = [:openid, :api]
 
       expect(personal_access_token).not_to be_valid
+      expect(personal_access_token.errors[:scopes].first).to eq "can only contain API scopes"
     end
   end
 end