github/secret_scanning: Consider revoked tokens as true positive

Author: Turbo87

src/controllers/github/secret_scanning.rs

@@ -155,22 +155,32 @@ fn alert_revoke_token(
 
     let hashed_token = SecureToken::hash(&alert.token);
 
-    // not using ApiToken::find_by_api_token in order to preserve last_used_at
-    // the token field has a uniqueness constraint so get_result() should be safe to use
-    let token = diesel::update(api_tokens::table)
+    // Not using `ApiToken::find_by_api_token()` in order to preserve `last_used_at`
+    let token = api_tokens::table
         .filter(api_tokens::token.eq(hashed_token))
-        .filter(api_tokens::revoked.eq(false))
-        .set(api_tokens::revoked.eq(true))
         .get_result::<ApiToken>(&*conn)
         .optional()?;
 
     let Some(token) = token else {
+        debug!("Unknown API token received (false positive)");
         return Ok(GitHubSecretAlertFeedbackLabel::FalsePositive);
     };
 
+    if token.revoked {
+        debug!(
+            token_id = %token.id, user_id = %token.user_id,
+            "Already revoked API token received (true positive)",
+        );
+        return Ok(GitHubSecretAlertFeedbackLabel::TruePositive);
+    }
+
+    diesel::update(&token)
+        .set(api_tokens::revoked.eq(true))
+        .execute(&*conn)?;
+
     warn!(
         token_id = %token.id, user_id = %token.user_id,
-        "Revoked API token",
+        "Active API token received and revoked (true positive)",
     );
 
     if let Err(error) = send_notification_email(&token, alert, req) {

src/tests/github_secret_scanning.rs

@@ -109,14 +109,14 @@ fn github_secret_alert_for_revoked_token() {
     let response = anon.run::<Vec<GitHubSecretAlertFeedback>>(request);
     assert_eq!(response.status(), StatusCode::OK);
 
-    // Ensure feedback is a false positive
+    // Ensure feedback is a true positive
     let feedback = response.good();
     assert_eq!(feedback.len(), 1);
     assert_eq!(feedback[0].token_raw, "some_token");
     assert_eq!(feedback[0].token_type, "some_type");
     assert_eq!(
         feedback[0].label,
-        GitHubSecretAlertFeedbackLabel::FalsePositive
+        GitHubSecretAlertFeedbackLabel::TruePositive
     );
 
     // Ensure that the token is still revoked