chore: add integration test

Demonstrate that the it's not possible to migrate or add a push mirror
from a URL that contains credentials.

tests/integration/mirror_push_test.go

@@ -30,6 +30,7 @@ import (
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
+	"forgejo.org/modules/translation"
 	gitea_context "forgejo.org/services/context"
 	doctor "forgejo.org/services/doctor"
 	"forgejo.org/services/migrations"
@@ -42,6 +43,46 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestPushMirrorRedactCredential(t *testing.T) {
+	defer test.MockVariableValue(&setting.Mirror.Enabled, true)()
+	defer tests.PrepareTestEnv(t)()
+
+	session := loginUser(t, "user2")
+	cloneAddr := "https://:TOKEN@example.com/example/example.git"
+
+	t.Run("Web route", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		resp := session.MakeRequest(t, NewRequestWithValues(t, "POST", "/user2/repo1/settings", map[string]string{
+			"_csrf":                GetCSRF(t, session, "/user2/repo1/settings"),
+			"action":               "push-mirror-add",
+			"push_mirror_address":  cloneAddr,
+			"push_mirror_interval": "0",
+		}), http.StatusOK)
+
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		assert.Contains(t,
+			htmlDoc.doc.Find(".ui.negative.message").Text(),
+			translation.NewLocale("en-US").Tr("migrate.form.error.url_credentials"),
+		)
+	})
+
+	t.Run("API route", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+		resp := MakeRequest(t, NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/push_mirrors", &api.CreatePushMirrorOption{
+			RemoteAddress: cloneAddr,
+			Interval:      "0",
+		}).AddTokenAuth(token), http.StatusBadRequest)
+
+		var respBody map[string]any
+		DecodeJSON(t, resp, &respBody)
+
+		assert.Equal(t, "The URL contains credentials", respBody["message"])
+	})
+}
+
 func TestMirrorPush(t *testing.T) {
 	onGiteaRun(t, testMirrorPush)
 }

tests/integration/repo_migrate_test.go

@@ -1,4 +1,5 @@
 // Copyright 2017 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package integration
@@ -9,7 +10,9 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/modules/structs"
+	"forgejo.org/modules/translation"
 	"forgejo.org/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -55,3 +58,44 @@ func TestRepoMigrate(t *testing.T) {
 		})
 	}
 }
+
+func TestRepoMigrateCredentials(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	session := loginUser(t, "user2")
+	cloneAddr := "https://:TOKEN@example.com/example/example.git"
+
+	t.Run("Web route", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		resp := session.MakeRequest(t, NewRequestWithValues(t, "POST", "/repo/migrate?service_type=1", map[string]string{
+			"_csrf":      GetCSRF(t, session, "/repo/migrate?service_type=1"),
+			"clone_addr": cloneAddr,
+			"uid":        "2",
+			"repo_name":  "example",
+			"service":    "1",
+		}), http.StatusOK)
+
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		assert.Contains(t,
+			htmlDoc.doc.Find(".ui.negative.message").Text(),
+			translation.NewLocale("en-US").Tr("migrate.form.error.url_credentials"),
+		)
+	})
+
+	t.Run("API route", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+		resp := MakeRequest(t, NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &structs.MigrateRepoOptions{
+			CloneAddr:   cloneAddr,
+			RepoOwnerID: 2,
+			RepoName:    "example",
+		}).AddTokenAuth(token), http.StatusUnprocessableEntity)
+
+		var respBody map[string]any
+		DecodeJSON(t, resp, &respBody)
+
+		assert.Equal(t, "The URL contains credentials.", respBody["message"])
+	})
+}