feat(action): log token hash

qoomon · Jul 22, 2024 · fbc39b9 · fbc39b9
1 parent 7d65f1c
commit fbc39b9
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 14 deletions.
diff --git a/action/README.md b/action/README.md
@@ -186,6 +186,3 @@ build:
 
 ## Resources
 * App icon: https://img.icons8.com/cotton/256/000000/grand-master-key.png
-
-## TODO
-- add token hash to output in main and post action
diff --git a/action/dist/main/index.js b/action/dist/main/index.js
@@ -61153,13 +61153,14 @@ runAction(async () => {
     if (input.repository) {
         input.repositories.unshift(input.repository);
     }
-    core.info('Get access token.');
+    core.info('Get access token...');
     const accessToken = await getAccessToken({
         scope: input.scope,
         permissions: input.permissions,
         repositories: input.repositories,
         owner: input.owner,
     });
+    core.info('Access token hash: ' + accessToken.token_hash);
     core.setSecret(accessToken.token);
     core.setOutput('token', accessToken.token);
     // save token to state to be able to revoke it in post-action

diff --git a/action/src/action-main.ts b/action/src/action-main.ts
@@ -27,13 +27,14 @@ runAction(async () => {
     input.repositories.unshift(input.repository);
   }
 
-  core.info('Get access token.');
+  core.info('Get access token...');
   const accessToken = await getAccessToken({
     scope: input.scope,
     permissions: input.permissions,
     repositories: input.repositories,
     owner: input.owner,
   });
+  core.info('Access token hash: ' + accessToken.token_hash);
 
   core.setSecret(accessToken.token);
   core.setOutput('token', accessToken.token);
@@ -133,10 +134,11 @@ async function httpRequest(request: HttpRequest, options?: {
 
 interface GitHubAccessTokenResponse {
   token: string
+  token_hash: string
   expires_at: string
-  owner: string
-  repositories: string[]
   permissions: GitHubAppPermissions
+  repositories: string[]
+  owner: string
 }
 
 type GitHubAppPermissions = Record<string, string>

diff --git a/server/src/app.ts b/server/src/app.ts
@@ -9,9 +9,12 @@ import process from 'process';
 import {hasEntries, toBase64} from './common/common-utils.js';
 import {buildJwksKeyFetcher} from './common/jwt-utils.js';
 import {
-  GitHubActionsJwtPayload, GitHubAppPermissions,
-  GitHubAppPermissionsSchema, GitHubAppRepositoryPermissions,
-  GitHubRepositoryOwnerSchema, GitHubRepositoryNameSchema,
+  GitHubActionsJwtPayload,
+  GitHubAppPermissions,
+  GitHubAppPermissionsSchema,
+  GitHubAppRepositoryPermissions,
+  GitHubRepositoryNameSchema,
+  GitHubRepositoryOwnerSchema,
   normalizePermissionScopes,
   parseRepository,
   verifyRepositoryPermissions,
@@ -97,8 +100,8 @@ app.post(
             const invalidRepositoryPermissionScopes = verifyRepositoryPermissions(it.permissions).invalid;
             if (hasEntries(invalidRepositoryPermissionScopes)) {
               throw new HTTPException(Status.BAD_REQUEST, {
-                message: `Invalid permissions scopes for token scope 'repos'.\n${
-                  Object.keys(invalidRepositoryPermissionScopes).map((scope) => `- ${scope}`).join('\n')}`,
+                message: `Invalid permissions scopes for token scope 'repos'.\n` +
+                    Object.keys(invalidRepositoryPermissionScopes).map((scope) => `- ${scope}`).join('\n'),
               });
             }
 
@@ -123,17 +126,17 @@ app.post(
       // --- response with requested access token --------------------------------------------------------------------
       const tokenResponseBody = {
         token: githubActionsAccessToken.token,
+        token_hash: await sha256(githubActionsAccessToken.token).then(toBase64),
         expires_at: githubActionsAccessToken.expires_at,
         permissions: githubActionsAccessToken.permissions ?
-        normalizePermissionScopes(githubActionsAccessToken.permissions) : undefined,
+            normalizePermissionScopes(githubActionsAccessToken.permissions) : undefined,
         repositories: githubActionsAccessToken.repositories?.map((it) => it.name),
         owner: githubActionsAccessToken.owner,
       };
 
       requestLog.info({
         ...tokenResponseBody,
         token: undefined,
-        token_hash: await sha256(githubActionsAccessToken.token).then(toBase64),
       }, 'Access Token');
 
       return context.json(tokenResponseBody);