Make the exposing of the Application secret more explicitPNSalocin/gitlab-ce-24035-api-create-application

To make it more clear to developers that the entity exposes the
application secret, define a separate entity that only should be used
when the secret is needed (probably only on creation).

2 files changed, 7 insertions, 3 deletions

diff --git a/lib/api/applications.rb b/lib/api/applications.rb
index 142ba73a53d..b122cdefe4e 100644
--- a/lib/api/applications.rb
+++ b/lib/api/applications.rb
@@ -6,7 +6,7 @@ module API
     resource :applications do
       desc 'Create a new application' do
         detail 'This feature was introduced in GitLab 10.5'
-        success Entities::Application
+        success Entities::ApplicationWithSecret
       end
       params do
         requires :name, type: String, desc: 'Application name'
@@ -17,7 +17,7 @@ module API
         application = Doorkeeper::Application.new(declared_params)
 
         if application.save
-          present application, with: Entities::Application
+          present application, with: Entities::ApplicationWithSecret
         else
           render_validation_error! application
         end
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index cfe9a8704bc..7b9a80a234b 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1160,8 +1160,12 @@ module API
 
     class Application < Grape::Entity
       expose :uid, as: :application_id
-      expose :secret
       expose :redirect_uri, as: :callback_url
     end
+
+    # Use with care, this exposes the secret
+    class ApplicationWithSecret < Application
+      expose :secret
+    end
   end
 end