Merge branch 'fiw-username-override' into 'master'

Prevent username overriding while creating a Deploy Token via the API.

Closes #211963

See merge request gitlab-org/gitlab!28175

changelogs/unreleased/28175-fix-username-override.yml

+---
+title: Prevent overriding the username when creating a Deploy Token via the API
+merge_request: 28175
+author: Ayoub Mrini
+type: fixed

lib/api/deploy_tokens.rb

@@ -8,7 +8,7 @@ module API
       def scope_params
         scopes = params.delete(:scopes)
 
-        result_hash = {}
+        result_hash = Hashie::Mash.new
         result_hash[:read_registry] = scopes.include?('read_registry')
         result_hash[:write_registry] = scopes.include?('write_registry')
         result_hash[:read_repository] = scopes.include?('read_repository')

spec/requests/api/deploy_tokens_spec.rb

@@ -205,10 +205,11 @@ describe API::DeployTokens do
 
   context 'deploy token creation' do
     shared_examples 'creating a deploy token' do |entity, unauthenticated_response|
+      let(:expires_time) { 1.year.from_now }
       let(:params) do
         {
           name: 'Foo',
-          expires_at: 1.year.from_now,
+          expires_at: expires_time,
           scopes: [
             'read_repository'
           ],
@@ -240,6 +241,10 @@ describe API::DeployTokens do
 
           expect(response).to have_gitlab_http_status(:created)
           expect(response).to match_response_schema('public_api/v4/deploy_token')
+          expect(json_response['name']).to eq('Foo')
+          expect(json_response['scopes']).to eq(['read_repository'])
+          expect(json_response['username']).to eq('Bar')
+          expect(json_response['expires_at'].to_time.to_i).to eq(expires_time.to_i)
         end
 
         context 'with no optional params given' do