feat(ui): create repo-specific access tokens (#11696)

Adds a user interface for creating repo-specific access tokens (#11311). When the new option "Specific repositories" is selected, a search option appears. Each repository in the search result has an "Add" button to include it on the access token, and once included, a repository can be removed with the "Remove" button. This is a JS-free form. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Tests for JavaScript changes - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/ README.md#end-to-end-tests)). - Technically there are no "JavaScript changes" in this PR, but e2e tests were added for browser interaction testing. ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - TODO: planning to create documentation in https://forgejo.org/docs/next/user/token-scope/; there is none for public only tokens but I think this seems like a good place to add both. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11696 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2026-05-12 22:10:25 +00:00 · 2026-03-23 15:29:08 +01:00 · 2026-03-23 15:29:08 +01:00 · 35b872f383
commit 35b872f383
parent bdbd0b5622
15 changed files with 799 additions and 96 deletions
--- a/tests/e2e/user-settings.test.e2e.ts
+++ b/tests/e2e/user-settings.test.e2e.ts
@ -141,8 +141,12 @@ test('User: Add access token', async ({browser}, workerInfo) => {

  const tokenName = globalThis.crypto.randomUUID();
  await page.locator('#name').fill(tokenName);
+  await page.getByRole('radio', {name: /^All /}).click();
  await page.locator('#scoped-access-submit').click();

+  await expect(page.locator('.ui.info.message.flash-info')).toBeVisible();
+  const flashText = await page.locator('.ui.info.message.flash-info').textContent();
+  expect(flashText?.trim()).toMatch(/^[0-9a-f]{40}$/);
  await page.getByText(tokenName).isVisible();
 });

@ -161,7 +165,75 @@ test('User: Add access token validation error', async ({browser}, workerInfo) =>
  await page.getByRole('button', {name: 'Generate token'}).click();

  await page.getByText('has been used as an application name already.').isVisible();
-  // validate that selected options (public-only, activitypub) are still selected.
+  // validate that selected options (public-only, activitypub) are still selected after the validation error.
  await expect(page.getByRole('radio', {name: 'Public only'})).toBeChecked();
  await expect(page.getByRole('combobox', {name: 'activitypub'})).toHaveValue('read:activitypub');
 });
+
+test('User: Add specific repo access token', async ({browser}, workerInfo) => {
+  const page = await login({browser}, workerInfo);
+  await page.goto('/user/settings/applications');
+  await page.getByRole('link', {name: 'New access token'}).click();
+
+  const tokenName = globalThis.crypto.randomUUID();
+  await page.getByRole('textbox', {name: /^Token name/}).fill(tokenName);
+  await page.getByRole('combobox', {name: 'repository'}).selectOption('read:repository');
+
+  // clicking specific repositories will display currently available repositories:
+  await expect(page.getByText('org17/big_test_private_4')).toBeHidden();
+  await page.getByRole('radio', {name: 'Specific repositories'}).click();
+  await expect(page.getByText('org17/big_test_private_4')).toBeVisible();
+  await expect(page.getByText('user2/commits_search_test')).toBeVisible(); // another repo, will be used to verify search worked
+
+  await page.getByPlaceholder('Search repos…').fill('big_test_private_4');
+  await page.getByRole('button', {name: 'Search…'}).click();
+
+  // verify search results visible:
+  await expect(page.getByText('org17/big_test_private_4')).toBeVisible();
+  await expect(page.getByText('user2/commits_search_test')).toBeHidden();
+
+  // after performing a search, verify that the token name, 'selected repositories', and selected permissions are maintained
+  await expect(page.getByRole('textbox', {name: /^Token name/})).toHaveValue(tokenName);
+  await expect(page.getByRole('radio', {name: 'Specific repositories'})).toBeChecked();
+  await expect(page.getByRole('combobox', {name: 'repository'})).toHaveValue('read:repository');
+
+  // Add the big_test_private_4 repo.
+  await page.getByRole('button', {name: 'Add org17/big_test_private_4'}).click();
+  await expect(page.getByText('Selected repository (1)')).toBeVisible();
+  await expect(page.getByText('org17/big_test_private_4')).toBeVisible();
+
+  // Remove it to test remove, and then re-add
+  await page.getByRole('button', {name: 'Remove org17/big_test_private_4'}).click();
+  await expect(page.getByText('Selected repositories (0)')).toBeVisible();
+  await expect(page.getByText('org17/big_test_private_4')).toBeVisible();
+  await page.getByRole('button', {name: 'Add org17/big_test_private_4'}).click();
+
+  // Create the token and check for success.
+  await page.getByRole('button', {name: 'Generate token'}).click();
+  await expect(page.locator('.ui.info.message.flash-info')).toBeVisible();
+  const flashText = await page.locator('.ui.info.message.flash-info').textContent();
+  expect(flashText?.trim()).toMatch(/^[0-9a-f]{40}$/);
+  await page.getByText(tokenName).isVisible();
+});
+
+// Test that validation errors on the repo-specific access token page retain all the entered field values when the
+// error is displayed.
+test('User: Add specific repo access token error', async ({browser}, workerInfo) => {
+  const page = await login({browser}, workerInfo);
+  await page.goto('/user/settings/applications');
+  await page.getByRole('link', {name: 'New access token'}).click();
+
+  await page.getByRole('textbox', {name: /^Token name/}).fill('Token A');
+  await page.getByRole('combobox', {name: 'repository'}).selectOption('read:repository');
+  await page.getByRole('radio', {name: 'Specific repositories'}).click();
+  await page.getByRole('button', {name: 'Add org17/big_test_private_4'}).click();
+
+  // Create the token, verify error, then check all the fields for retained values.
+  await page.getByRole('button', {name: 'Generate token'}).click();
+  await page.getByText('has been used as an application name already.').isVisible();
+
+  await expect(page.getByRole('textbox', {name: /^Token name/})).toHaveValue('Token A');
+  await expect(page.getByRole('radio', {name: 'Specific repositories'})).toBeChecked();
+  await expect(page.getByRole('combobox', {name: 'repository'})).toHaveValue('read:repository');
+  await expect(page.getByRole('button', {name: 'Remove org17/big_test_private_4'})).toBeVisible();
+});
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@ -491,8 +491,18 @@ func createApplicationSettingsToken(t testing.TB, session *TestSession, name str

 	urlValues := url.Values{}
 	urlValues.Add("name", name)
+	publicOnly := false
 	for _, scope := range scopes {
-		urlValues.Add("scope", string(scope))
+		if scope == auth.AccessTokenScopePublicOnly {
+			publicOnly = true
+		} else {
+			urlValues.Add("scope", string(scope))
+		}
+	}
+	if publicOnly {
+		urlValues.Add("resource", "public-only")
+	} else {
+		urlValues.Add("resource", "all")
 	}
 	req := NewRequestWithURLValues(t, "POST", "/user/settings/applications/tokens/new", urlValues)
 	resp := session.MakeRequest(t, req, http.StatusSeeOther)