Merge pull request from GHSA-8j3f-mhq8-gmh4

* fix(auth): check pat origin

* handle ghe and github

* chore: run make clean; update test names

* chore: reorder imports

Co-authored-by: David May <david.may@target.com>

source/github/authentication.go

@@ -9,10 +9,12 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 
 	"github.com/go-vela/server/random"
-
 	"github.com/go-vela/types/library"
+	"github.com/google/go-github/v33/github"
 
 	"github.com/sirupsen/logrus"
 )
@@ -110,6 +112,47 @@ func (c *client) AuthenticateToken(r *http.Request) (*library.User, error) {
 		return nil, errors.New("no token provided")
 	}
 
+	// create http client to connect to GitHub API
+	transport := github.BasicAuthTransport{Username: c.config.ClientID, Password: c.config.ClientSecret}
+	// create client to connect to GitHub API
+	client := github.NewClient(transport.Client())
+	// check if github url was set
+	if c.config.Address != "" && c.config.Address != "https://github.com" {
+		// check if address has trailing slash
+		if !strings.HasSuffix(c.config.Address, "/") {
+			// add trailing slash
+			c.config.Address = c.config.Address + "/api/v3/"
+		}
+		// parse the provided url into url type
+		enterpriseURL, err := url.Parse(c.config.Address)
+		if err != nil {
+			return nil, err
+		}
+		// set the base and upload url
+		client.BaseURL = enterpriseURL
+		client.UploadURL = enterpriseURL
+	}
+	// check if the provided token was created by Vela
+	_, resp, err := client.Authorizations.Check(context.Background(), c.config.ClientID, token)
+	// check if the error is of type ErrorResponse
+	if gerr, ok := err.(*github.ErrorResponse); ok {
+		// check the status code
+		switch gerr.Response.StatusCode {
+		// 404 is expected when non vela token is used
+		case http.StatusNotFound:
+			break
+		default:
+			return nil, err
+		}
+	} else if err != nil {
+		return nil, err
+	}
+
+	// return error if the token was created by Vela
+	if resp.StatusCode != http.StatusNotFound {
+		return nil, errors.New("token must not be created by vela")
+	}
+
 	u, err := c.Authorize(token)
 	if err != nil {
 		return nil, err

source/github/authentication_test.go

@@ -307,7 +307,7 @@ func TestGithub_Login(t *testing.T) {
 	}
 }
 
-func TestGithub_Authenticate_Token(t *testing.T) {
+func TestGithub_AuthenticateToken(t *testing.T) {
 	// setup context
 	gin.SetMode(gin.TestMode)
 
@@ -348,7 +348,7 @@ func TestGithub_Authenticate_Token(t *testing.T) {
 	}
 }
 
-func TestGithub_Authenticate_Invalid_Token(t *testing.T) {
+func TestGithub_AuthenticateToken_Invalid(t *testing.T) {
 	// setup context
 	gin.SetMode(gin.TestMode)
 
@@ -384,6 +384,42 @@ func TestGithub_Authenticate_Invalid_Token(t *testing.T) {
 	}
 }
 
+func TestGithub_AuthenticateToken_Vela_OAuth(t *testing.T) {
+	// setup context
+	gin.SetMode(gin.TestMode)
+
+	resp := httptest.NewRecorder()
+	context, engine := gin.CreateTestContext(resp)
+	context.Request, _ = http.NewRequest(http.MethodPost, "/authenticate/token", nil)
+	context.Request.Header.Set("Token", "vela")
+
+	engine.GET("/api/v3/user", func(c *gin.Context) {
+		c.Header("Content-Type", "application/json")
+		c.Status(http.StatusOK)
+		c.File("testdata/user.json")
+	})
+
+	engine.POST("/api/v3/applications/foo/token", func(c *gin.Context) {
+		c.Header("Content-Type", "application/json")
+		c.Status(http.StatusOK)
+	})
+
+	s := httptest.NewServer(engine)
+	defer s.Close()
+
+	client, _ := NewTest(s.URL)
+
+	// run test
+	_, err := client.AuthenticateToken(context.Request)
+	if resp.Code != http.StatusOK {
+		t.Errorf("AuthenticateToken returned %v, want %v", resp.Code, http.StatusOK)
+	}
+
+	if err == nil {
+		t.Error("AuthenticateToken should have returned err")
+	}
+}
+
 func TestGithub_LoginWCreds(t *testing.T) {
 	// setup context
 	gin.SetMode(gin.TestMode)