Fix tokens primary index and ensure name is unique

- Remove the user_id from the primary index. - Create a unique index for user_id + token name.
mantisbt · Dec 3, 2015 · 899c1c6 · 899c1c6
1 parent 19b5584
commit 899c1c6
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 1 deletion.
diff --git a/admin/schema.php b/admin/schema.php
@@ -755,11 +755,14 @@ function installer_db_now() {
 $g_upgrade[200] = array(
 		'CreateTableSQL',array( db_get_table( 'api_token' ), '
 			  id           I UNSIGNED NOTNULL PRIMARY AUTOINCREMENT,
-			  user_id      I DEFAULT \'0\' PRIMARY,
+			  user_id      I DEFAULT \'0\',
 			  name         C(128) NOTNULL,
 			  hash         C(128) NOTNULL,
 			  date_created I UNSIGNED NOTNULL DEFAULT \'0\',
 			  date_used    I UNSIGNED NOTNULL DEFAULT \'0\''
 		) );
+$g_upgrade[201] = array( 'CreateIndexSQL',
+			array( 'idx_user_id_name', db_get_table( 'api_token' ), 'user_id, name', array( 'UNIQUE' ) )
+		);
 
 # Release marker: 1.3.0
diff --git a/core/api_token_api.php b/core/api_token_api.php
@@ -50,6 +50,8 @@ function api_token_create( $p_token_name, $p_user_id ) {
 		trigger_error( ERROR_FIELD_TOO_LONG, ERROR );
 	}
 
+	api_token_name_ensure_unique( $t_token_name, $p_user_id );
+
 	$t_plain_token = crypto_generate_uri_safe_nonce( API_TOKEN_LENGTH );
 	$t_hash = api_token_hash( $t_plain_token );
 	$t_date_created = db_now();
@@ -72,6 +74,25 @@ function api_token_hash( $p_token ) {
 	return hash( 'sha256', $p_token );
 }
 
+/**
+ * Ensure that the specified token name is unique to the user, otherwise,
+ * prompt the user with an error.
+ *
+ * @param string $p_token_name The token name.
+ * @param string $p_user_id The user id.
+ */
+function api_token_name_ensure_unique( $p_token_name, $p_user_id ) {
+	$t_query = 'SELECT * FROM {api_token} WHERE user_id=' . db_param() . ' AND name=' . db_param();
+	$t_result = db_query( $t_query, array( $p_user_id, $p_token_name ) );
+
+	$t_row = db_fetch_array( $t_result );
+
+	if ( $t_row ) {
+		error_parameters( $p_token_name );
+		trigger_error( ERROR_API_TOKEN_NAME_NOT_UNIQUE, ERROR );
+	}
+}
+
 /**
  * Validate a plain token for the specified user.
  * @param string $p_username The user name.

diff --git a/core/constant_inc.php b/core/constant_inc.php
@@ -418,6 +418,9 @@
 define( 'ERROR_CRYPTO_MASTER_SALT_INVALID', 2900 );
 define( 'ERROR_CRYPTO_CAN_NOT_GENERATE_STRONG_RANDOMNESS', 2901 );
 
+# ERROR_API_TOKEN_*
+define( 'ERROR_API_TOKEN_NAME_NOT_UNIQUE', 3000 );
+
 # Generic position constants
 define( 'POSITION_NONE', 0 );
 define( 'POSITION_TOP', 1 );

diff --git a/lang/strings_english.txt b/lang/strings_english.txt
@@ -1736,4 +1736,5 @@ $MANTIS_ERROR[ERROR_TYPE_MISMATCH] = 'Data Type mismatch. Enable detailed error
 $MANTIS_ERROR[ERROR_BUG_CONFLICTING_EDIT] = 'This issue has been updated by another user, please return to the issue and submit your changes again.';
 $MANTIS_ERROR[ERROR_SPAM_SUSPECTED] = 'You have reached the allowed activity limit of %d events within the last %d seconds; your action has been blocked to avoid spam, please try again later.';
 $MANTIS_ERROR[ERROR_FIELD_TOO_LONG] = 'Field "%1$s" must be shorter or equal to %2$d characters long.';
+$MANTIS_ERROR[ERROR_API_TOKEN_NAME_NOT_UNIQUE] = 'API token name "%s" is already being used. Please go back and select another one.';