feat: read, create, & delete repo-specific access tokens via API (#11504)

This PR is part of a series (#11311). Adds support for reading and creating repo-secific access tokens through the API via the `GET /users/{username}/tokens`, `POST /users/{username}/tokens`, and `DELETE /users/{username}/tokens/{id}` APIs. Validation rules are included to [restrict repo-specific access tokens to specific scopes](https://codeberg.org/forgejo/design/issues/50#issuecomment-11093951). ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.  ## Release notes  - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/11504): read, create, & delete repo-specific access tokens via API  Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11504 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2026-05-12 22:10:25 +00:00 · 2026-03-07 21:55:08 +01:00 · 2026-03-07 21:55:08 +01:00 · 2db6210f69
commit 2db6210f69
parent 48d2af5561
12 changed files with 615 additions and 27 deletions
--- a/modules/structs/repo.go
+++ b/modules/structs/repo.go
@ -436,3 +436,12 @@ type UpdateRepoAvatarOption struct {
 	// image must be base64 encoded
 	Image string `json:"image" binding:"Required"`
 }
+
+type RepoTargetOption struct {
+	// Name of user or organisation that owns the repository
+	// required: true
+	Owner string `json:"owner"`
+	// Name of repository
+	// required: true
+	Name string `json:"name"`
+}
--- a/modules/structs/user_app.go
+++ b/modules/structs/user_app.go
@ -16,6 +16,9 @@ type AccessToken struct {
 	Token          string   `json:"sha1"`
 	TokenLastEight string   `json:"token_last_eight"`
 	Scopes         []string `json:"scopes"`
+	// Indicates that an access token only has access to the specified repositories.  Will be null if the access token
+	// is not limited to a set of specified repositories.
+	Repositories []*RepositoryMeta `json:"repositories"`
 }

 // AccessTokenList represents a list of API access token.
@ -28,6 +31,8 @@ type CreateAccessTokenOption struct {
 	Name string `json:"name" binding:"Required"`
 	// example: ["all", "read:activitypub","read:issue", "write:misc", "read:notification", "read:organization", "read:package", "read:repository", "read:user"]
 	Scopes []string `json:"scopes"`
+	// If provided and not-empty, creates an access token with access only to specified repositories.
+	Repositories []*RepoTargetOption `json:"repositories"`
 }

 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application