From fbc39b9b368463a91ac1f1fa31ee3df165b0eb81 Mon Sep 17 00:00:00 2001
From: Bengt Brodersen <bengt.brodersen@gmail.com>
Date: Mon, 22 Jul 2024 10:34:21 +0200
Subject: [PATCH] feat(action): log token hash

---
 action/README.md          |  3 ---
 action/dist/main/index.js |  3 ++-
 action/src/action-main.ts |  8 +++++---
 server/src/app.ts         | 17 ++++++++++-------
 4 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/action/README.md b/action/README.md
index 30cef69..aa79026 100644
--- a/action/README.md
+++ b/action/README.md
@@ -186,6 +186,3 @@ build:
 
 ## Resources
 * App icon: https://img.icons8.com/cotton/256/000000/grand-master-key.png
-
-## TODO
-- add token hash to output in main and post action
diff --git a/action/dist/main/index.js b/action/dist/main/index.js
index 7fe71ed..89d03e1 100644
--- a/action/dist/main/index.js
+++ b/action/dist/main/index.js
@@ -61153,13 +61153,14 @@ runAction(async () => {
     if (input.repository) {
         input.repositories.unshift(input.repository);
     }
-    core.info('Get access token.');
+    core.info('Get access token...');
     const accessToken = await getAccessToken({
         scope: input.scope,
         permissions: input.permissions,
         repositories: input.repositories,
         owner: input.owner,
     });
+    core.info('Access token hash: ' + accessToken.token_hash);
     core.setSecret(accessToken.token);
     core.setOutput('token', accessToken.token);
     // save token to state to be able to revoke it in post-action
diff --git a/action/src/action-main.ts b/action/src/action-main.ts
index 278bdf7..18c5b53 100644
--- a/action/src/action-main.ts
+++ b/action/src/action-main.ts
@@ -27,13 +27,14 @@ runAction(async () => {
     input.repositories.unshift(input.repository);
   }
 
-  core.info('Get access token.');
+  core.info('Get access token...');
   const accessToken = await getAccessToken({
     scope: input.scope,
     permissions: input.permissions,
     repositories: input.repositories,
     owner: input.owner,
   });
+  core.info('Access token hash: ' + accessToken.token_hash);
 
   core.setSecret(accessToken.token);
   core.setOutput('token', accessToken.token);
@@ -133,10 +134,11 @@ async function httpRequest(request: HttpRequest, options?: {
 
 interface GitHubAccessTokenResponse {
   token: string
+  token_hash: string
   expires_at: string
-  owner: string
-  repositories: string[]
   permissions: GitHubAppPermissions
+  repositories: string[]
+  owner: string
 }
 
 type GitHubAppPermissions = Record<string, string>
diff --git a/server/src/app.ts b/server/src/app.ts
index 9b08478..a2b97d2 100644
--- a/server/src/app.ts
+++ b/server/src/app.ts
@@ -9,9 +9,12 @@ import process from 'process';
 import {hasEntries, toBase64} from './common/common-utils.js';
 import {buildJwksKeyFetcher} from './common/jwt-utils.js';
 import {
-  GitHubActionsJwtPayload, GitHubAppPermissions,
-  GitHubAppPermissionsSchema, GitHubAppRepositoryPermissions,
-  GitHubRepositoryOwnerSchema, GitHubRepositoryNameSchema,
+  GitHubActionsJwtPayload,
+  GitHubAppPermissions,
+  GitHubAppPermissionsSchema,
+  GitHubAppRepositoryPermissions,
+  GitHubRepositoryNameSchema,
+  GitHubRepositoryOwnerSchema,
   normalizePermissionScopes,
   parseRepository,
   verifyRepositoryPermissions,
@@ -97,8 +100,8 @@ app.post(
             const invalidRepositoryPermissionScopes = verifyRepositoryPermissions(it.permissions).invalid;
             if (hasEntries(invalidRepositoryPermissionScopes)) {
               throw new HTTPException(Status.BAD_REQUEST, {
-                message: `Invalid permissions scopes for token scope 'repos'.\n${
-                  Object.keys(invalidRepositoryPermissionScopes).map((scope) => `- ${scope}`).join('\n')}`,
+                message: `Invalid permissions scopes for token scope 'repos'.\n` +
+                    Object.keys(invalidRepositoryPermissionScopes).map((scope) => `- ${scope}`).join('\n'),
               });
             }
 
@@ -123,9 +126,10 @@ app.post(
       // --- response with requested access token --------------------------------------------------------------------
       const tokenResponseBody = {
         token: githubActionsAccessToken.token,
+        token_hash: await sha256(githubActionsAccessToken.token).then(toBase64),
         expires_at: githubActionsAccessToken.expires_at,
         permissions: githubActionsAccessToken.permissions ?
-        normalizePermissionScopes(githubActionsAccessToken.permissions) : undefined,
+            normalizePermissionScopes(githubActionsAccessToken.permissions) : undefined,
         repositories: githubActionsAccessToken.repositories?.map((it) => it.name),
         owner: githubActionsAccessToken.owner,
       };
@@ -133,7 +137,6 @@ app.post(
       requestLog.info({
         ...tokenResponseBody,
         token: undefined,
-        token_hash: await sha256(githubActionsAccessToken.token).then(toBase64),
       }, 'Access Token');
 
       return context.json(tokenResponseBody);