Add isAuthToken function, with tests

Author: mbg

lib/analyze-action-post.js

@@ -4,7 +4,12 @@ import * as path from "path";
 
 import test from "ava";
 
-import { scanArtifactsForTokens, TokenType } from "./artifact-scanner";
+import {
+  GITHUB_PAT_CLASSIC_PATTERN,
+  isAuthToken,
+  scanArtifactsForTokens,
+  TokenType,
+} from "./artifact-scanner";
 import { getRunnerLogger } from "./logging";
 import {
   checkExpectedLogMessages,
@@ -23,6 +28,36 @@ test("makeTestToken", (t) => {
   t.is(makeTestToken(255).length, 255);
 });
 
+test("isAuthToken", (t) => {
+  // Undefined for strings that aren't tokens
+  t.is(isAuthToken("some string"), undefined);
+  t.is(isAuthToken("ghp_"), undefined);
+  t.is(isAuthToken("ghp_123"), undefined);
+
+  // Token types for strings that are tokens.
+  t.is(isAuthToken(`ghp_${makeTestToken()}`), TokenType.PersonalAccessClassic);
+  t.is(
+    isAuthToken(`ghs_${makeTestToken(255)}`),
+    TokenType.AppInstallationAccess,
+  );
+  t.is(
+    isAuthToken(`github_pat_${makeTestToken(22)}_${makeTestToken(59)}`),
+    TokenType.PersonalAccessFineGrained,
+  );
+
+  // With a custom pattern set
+  t.is(
+    isAuthToken(`ghp_${makeTestToken()}`, [GITHUB_PAT_CLASSIC_PATTERN]),
+    TokenType.PersonalAccessClassic,
+  );
+  t.is(
+    isAuthToken(`github_pat_${makeTestToken(22)}_${makeTestToken(59)}`, [
+      GITHUB_PAT_CLASSIC_PATTERN,
+    ]),
+    undefined,
+  );
+});
+
 const testTokens = [
   {
     type: TokenType.PersonalAccessClassic,

lib/init-action-post.js

@@ -26,19 +26,25 @@ export interface TokenPattern {
   pattern: RegExp;
 }
 
+/** The pattern for PATs (Classic) */
+export const GITHUB_PAT_CLASSIC_PATTERN: TokenPattern = {
+  type: TokenType.PersonalAccessClassic,
+  pattern: /\bghp_[a-zA-Z0-9]{36}\b/g,
+};
+
+/** The pattern for PATs (Fine-grained) */
+export const GITHUB_PAT_FINE_GRAINED_PATTERN: TokenPattern = {
+  type: TokenType.PersonalAccessFineGrained,
+  pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g,
+};
+
 /**
  * GitHub token patterns to scan for.
  * These patterns match various GitHub token formats.
  */
 const GITHUB_TOKEN_PATTERNS: TokenPattern[] = [
-  {
-    type: TokenType.PersonalAccessClassic,
-    pattern: /\bghp_[a-zA-Z0-9]{36}\b/g,
-  },
-  {
-    type: TokenType.PersonalAccessFineGrained,
-    pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g,
-  },
+  GITHUB_PAT_CLASSIC_PATTERN,
+  GITHUB_PAT_FINE_GRAINED_PATTERN,
   {
     type: TokenType.OAuth,
     pattern: /\bgho_[a-zA-Z0-9]{36}\b/g,
@@ -71,6 +77,24 @@ interface ScanResult {
   findings: TokenFinding[];
 }
 
+/**
+ * Checks whether `value` matches any token `patterns`.
+ * @param value The value to match against.
+ * @param patterns The patterns to check.
+ * @returns The type of the first matching pattern, or `undefined` if none match.
+ */
+export function isAuthToken(
+  value: string,
+  patterns: TokenPattern[] = GITHUB_TOKEN_PATTERNS,
+) {
+  for (const { type, pattern } of patterns) {
+    if (pattern.test(value)) {
+      return type;
+    }
+  }
+  return undefined;
+}
+
 /**
  * Scans a file for GitHub tokens.
  *