Support github refresh tokens (#3811)

2024-11-25 11:21:02 +00:00 · 2024-11-22 19:12:43 +01:00 · 2024-11-22 19:12:43 +01:00 · 53d6421940
commit 53d6421940
parent bd349c8eaf
24 changed files with 231 additions and 199 deletions
--- a/server/api/login.go
+++ b/server/api/login.go
@ -159,13 +159,14 @@ func HandleAuth(c *gin.Context) {
 		// create the user account
 		user = &model.User{
-			Login:         userFromForge.Login,
+			ForgeID:       forgeID,
 			ForgeRemoteID: userFromForge.ForgeRemoteID,
-			Token:         userFromForge.Token,
+			Login:         userFromForge.Login,
-			Secret:        userFromForge.Secret,
+			AccessToken:   userFromForge.AccessToken,
 			RefreshToken:  userFromForge.RefreshToken,
 			Expiry:        userFromForge.Expiry,
 			Email:         userFromForge.Email,
 			Avatar:        userFromForge.Avatar,
 			ForgeID:       forgeID,
 			Hash: base32.StdEncoding.EncodeToString(
 				securecookie.GenerateRandomKey(32),
 			),
@ -225,8 +226,8 @@ func HandleAuth(c *gin.Context) {
 	}
 	// update the user meta data and authorization data.
-	user.Token = userFromForge.Token
+	user.AccessToken = userFromForge.AccessToken
-	user.Secret = userFromForge.Secret
+	user.RefreshToken = userFromForge.RefreshToken
 	user.Email = userFromForge.Email
 	user.Avatar = userFromForge.Avatar
 	user.ForgeID = forgeID
--- a/server/forge/addon/args.go
+++ b/server/forge/addon/args.go
@ -111,8 +111,8 @@ type modelUser struct {
 func (m *modelUser) asModel() *model.User {
 	m.User.ForgeRemoteID = m.ForgeRemoteID
-	m.User.Token = m.Token
+	m.User.AccessToken = m.Token
-	m.User.Secret = m.Secret
+	m.User.RefreshToken = m.Secret
 	m.User.Expiry = m.Expiry
 	m.User.Hash = m.Hash
 	return m.User
@ -122,8 +122,8 @@ func modelUserFromModel(u *model.User) *modelUser {
 	return &modelUser{
 		User:          u,
 		ForgeRemoteID: u.ForgeRemoteID,
-		Token:         u.Token,
+		Token:         u.AccessToken,
-		Secret:        u.Secret,
+		Secret:        u.RefreshToken,
 		Expiry:        u.Expiry,
 		Hash:          u.Hash,
 	}
--- a/server/forge/bitbucket/bitbucket.go
+++ b/server/forge/bitbucket/bitbucket.go
@ -117,15 +117,15 @@ func (c *config) Auth(ctx context.Context, token, secret string) (string, error)
 func (c *config) Refresh(ctx context.Context, user *model.User) (bool, error) {
 	config := c.newOAuth2Config()
 	source := config.TokenSource(
-		ctx, &oauth2.Token{RefreshToken: user.Secret})
+		ctx, &oauth2.Token{RefreshToken: user.RefreshToken})
 	token, err := source.Token()
 	if err != nil || len(token.AccessToken) == 0 {
 		return false, err
 	}
-	user.Token = token.AccessToken
+	user.AccessToken = token.AccessToken
-	user.Secret = token.RefreshToken
+	user.RefreshToken = token.RefreshToken
 	user.Expiry = token.Expiry.UTC().Unix()
 	return true, nil
 }
@ -348,7 +348,7 @@ func (c *config) Netrc(u *model.User, _ *model.Repo) (*model.Netrc, error) {
 	return &model.Netrc{
 		Machine:  "bitbucket.org",
 		Login:    "x-token-auth",
-		Password: u.Token,
+		Password: u.AccessToken,
 	}, nil
 }
@ -428,7 +428,7 @@ func (c *config) newClient(ctx context.Context, u *model.User) *internal.Client
 	if u == nil {
 		return c.newClientToken(ctx, "", "")
 	}
-	return c.newClientToken(ctx, u.Token, u.Secret)
+	return c.newClientToken(ctx, u.AccessToken, u.RefreshToken)
 }
 // helper function to return the bitbucket oauth2 client.
--- a/server/forge/bitbucket/bitbucket_test.go
+++ b/server/forge/bitbucket/bitbucket_test.go
@ -60,7 +60,7 @@ func Test_bitbucket(t *testing.T) {
 			netrc, _ := forge.Netrc(fakeUser, fakeRepo)
 			g.Assert(netrc.Machine).Equal("bitbucket.org")
 			g.Assert(netrc.Login).Equal("x-token-auth")
-			g.Assert(netrc.Password).Equal(fakeUser.Token)
+			g.Assert(netrc.Password).Equal(fakeUser.AccessToken)
 		})
 		g.Describe("Given an authorization request", func() {
@ -75,8 +75,8 @@ func Test_bitbucket(t *testing.T) {
 				})
 				g.Assert(err).IsNil()
 				g.Assert(u.Login).Equal(fakeUser.Login)
-				g.Assert(u.Token).Equal("2YotnFZFEjr1zCsicMWpAA")
+				g.Assert(u.AccessToken).Equal("2YotnFZFEjr1zCsicMWpAA")
-				g.Assert(u.Secret).Equal("tGzv3JOkF0XG5Qx2TlKWIA")
+				g.Assert(u.RefreshToken).Equal("tGzv3JOkF0XG5Qx2TlKWIA")
 			})
 			g.It("Should handle failure to exchange code", func() {
 				_, _, err := c.Login(ctx, &types.OAuthRequest{
@ -94,12 +94,12 @@ func Test_bitbucket(t *testing.T) {
 		g.Describe("Given an access token", func() {
 			g.It("Should return the authenticated user", func() {
-				login, err := c.Auth(ctx, fakeUser.Token, fakeUser.Secret)
+				login, err := c.Auth(ctx, fakeUser.AccessToken, fakeUser.RefreshToken)
 				g.Assert(err).IsNil()
 				g.Assert(login).Equal(fakeUser.Login)
 			})
 			g.It("Should handle a failure to resolve user", func() {
-				_, err := c.Auth(ctx, fakeUserNotFound.Token, fakeUserNotFound.Secret)
+				_, err := c.Auth(ctx, fakeUserNotFound.AccessToken, fakeUserNotFound.RefreshToken)
 				g.Assert(err).IsNotNil()
 			})
 		})
@ -109,8 +109,8 @@ func Test_bitbucket(t *testing.T) {
 				ok, err := c.Refresh(ctx, fakeUserRefresh)
 				g.Assert(err).IsNil()
 				g.Assert(ok).IsTrue()
-				g.Assert(fakeUserRefresh.Token).Equal("2YotnFZFEjr1zCsicMWpAA")
+				g.Assert(fakeUserRefresh.AccessToken).Equal("2YotnFZFEjr1zCsicMWpAA")
-				g.Assert(fakeUserRefresh.Secret).Equal("tGzv3JOkF0XG5Qx2TlKWIA")
+				g.Assert(fakeUserRefresh.RefreshToken).Equal("tGzv3JOkF0XG5Qx2TlKWIA")
 			})
 			g.It("Should handle an empty access token", func() {
 				ok, err := c.Refresh(ctx, fakeUserRefreshEmpty)
@ -293,38 +293,38 @@ func Test_bitbucket(t *testing.T) {
 var (
 	fakeUser = &model.User{
-		Login: "superman",
+		Login:       "superman",
-		Token: "cfcd2084",
+		AccessToken: "cfcd2084",
 	}
 	fakeUserRefresh = &model.User{
-		Login:  "superman",
+		Login:        "superman",
-		Secret: "cfcd2084",
+		RefreshToken: "cfcd2084",
 	}
 	fakeUserRefreshFail = &model.User{
-		Login:  "superman",
+		Login:        "superman",
-		Secret: "refresh_token_not_found",
+		RefreshToken: "refresh_token_not_found",
 	}
 	fakeUserRefreshEmpty = &model.User{
-		Login:  "superman",
+		Login:        "superman",
-		Secret: "refresh_token_is_empty",
+		RefreshToken: "refresh_token_is_empty",
 	}
 	fakeUserNotFound = &model.User{
-		Login: "superman",
+		Login:       "superman",
-		Token: "user_not_found",
+		AccessToken: "user_not_found",
 	}
 	fakeUserNoTeams = &model.User{
-		Login: "superman",
+		Login:       "superman",
-		Token: "teams_not_found",
+		AccessToken: "teams_not_found",
 	}
 	fakeUserNoRepos = &model.User{
-		Login: "superman",
+		Login:       "superman",
-		Token: "repos_not_found",
+		AccessToken: "repos_not_found",
 	}
 	fakeRepo = &model.Repo{
--- a/server/forge/bitbucket/convert.go
+++ b/server/forge/bitbucket/convert.go
@ -133,8 +133,8 @@ func sshCloneLink(repo *internal.Repo) string {
 func convertUser(from *internal.Account, token *oauth2.Token) *model.User {
 	return &model.User{
 		Login:         from.Login,
-		Token:         token.AccessToken,
+		AccessToken:   token.AccessToken,
-		Secret:        token.RefreshToken,
+		RefreshToken:  token.RefreshToken,
 		Expiry:        token.Expiry.UTC().Unix(),
 		Avatar:        from.Links.Avatar.Href,
 		ForgeRemoteID: model.ForgeRemoteID(fmt.Sprint(from.UUID)),
--- a/server/forge/bitbucket/convert_test.go
+++ b/server/forge/bitbucket/convert_test.go
@ -98,8 +98,8 @@ func Test_helper(t *testing.T) {
 			result := convertUser(user, token)
 			g.Assert(result.Avatar).Equal(user.Links.Avatar.Href)
 			g.Assert(result.Login).Equal(user.Login)
-			g.Assert(result.Token).Equal(token.AccessToken)
+			g.Assert(result.AccessToken).Equal(token.AccessToken)
-			g.Assert(result.Secret).Equal(token.RefreshToken)
+			g.Assert(result.RefreshToken).Equal(token.RefreshToken)
 			g.Assert(result.Expiry).Equal(token.Expiry.UTC().Unix())
 		})
--- a/server/forge/bitbucketdatacenter/bitbucketdatacenter.go
+++ b/server/forge/bitbucketdatacenter/bitbucketdatacenter.go
@ -116,7 +116,7 @@ func (c *client) Login(ctx context.Context, req *forge_types.OAuthRequest) (*mod
 		return nil, "", err
 	}
-	bc, err := c.newClient(ctx, &model.User{Token: token.AccessToken})
+	bc, err := c.newClient(ctx, &model.User{AccessToken: token.AccessToken})
 	if err != nil {
 		return nil, "", fmt.Errorf("unable to create bitbucket client: %w", err)
 	}
@ -143,7 +143,7 @@ func (c *client) Auth(ctx context.Context, accessToken, _ string) (string, error
 func (c *client) Refresh(ctx context.Context, u *model.User) (bool, error) {
 	config := c.newOAuth2Config()
 	t := &oauth2.Token{
-		RefreshToken: u.Secret,
+		RefreshToken: u.RefreshToken,
 	}
 	ts := config.TokenSource(ctx, t)
@ -623,7 +623,7 @@ func (c *client) newOAuth2Config() *oauth2.Config {
 func (c *client) newClient(ctx context.Context, u *model.User) (*bb.Client, error) {
 	config := c.newOAuth2Config()
 	t := &oauth2.Token{
-		AccessToken: u.Token,
+		AccessToken: u.AccessToken,
 	}
 	client := config.Client(ctx, t)
 	return bb.NewClient(c.urlAPI, client)
--- a/server/forge/bitbucketdatacenter/bitbucketdatacenter_test.go
+++ b/server/forge/bitbucketdatacenter/bitbucketdatacenter_test.go
@ -91,6 +91,6 @@ func TestBitbucketDC(t *testing.T) {
 }
 var fakeUser = &model.User{
-	Token:  "fake",
+	AccessToken: "fake",
-	Expiry: time.Now().Add(1 * time.Hour).Unix(),
+	Expiry:      time.Now().Add(1 * time.Hour).Unix(),
 }
--- a/server/forge/bitbucketdatacenter/convert.go
+++ b/server/forge/bitbucketdatacenter/convert.go
@ -169,7 +169,7 @@ func convertListOptions(p *model.ListOptions) bb.ListOptions {
 }
 func updateUserCredentials(u *model.User, t *oauth2.Token) {
-	u.Token = t.AccessToken
+	u.AccessToken = t.AccessToken
-	u.Secret = t.RefreshToken
+	u.RefreshToken = t.RefreshToken
 	u.Expiry = t.Expiry.UTC().Unix()
 }
--- a/server/forge/common/utils.go
+++ b/server/forge/common/utils.go
@ -46,7 +46,7 @@ func ExtractHostFromCloneURL(cloneURL string) (string, error) {
 func UserToken(ctx context.Context, r *model.Repo, u *model.User) string {
 	if u != nil {
-		return u.Token
+		return u.AccessToken
 	}
 	_store, ok := store.TryFromContext(ctx)
@ -62,5 +62,5 @@ func UserToken(ctx context.Context, r *model.Repo, u *model.User) string {
 	if err != nil {
 		return ""
 	}
-	return user.Token
+	return user.AccessToken
 }
--- a/server/forge/forgejo/forgejo.go
+++ b/server/forge/forgejo/forgejo.go
@ -133,8 +133,8 @@ func (c *Forgejo) Login(ctx context.Context, req *forge_types.OAuthRequest) (*mo
 	}
 	return &model.User{
-		Token:         token.AccessToken,
+		AccessToken:   token.AccessToken,
-		Secret:        token.RefreshToken,
+		RefreshToken:  token.RefreshToken,
 		Expiry:        token.Expiry.UTC().Unix(),
 		Login:         account.UserName,
 		Email:         account.Email,
@ -164,8 +164,8 @@ func (c *Forgejo) Refresh(ctx context.Context, user *model.User) (bool, error) {
 	config.RedirectURL = ""
 	source := config.TokenSource(oauth2Ctx, &oauth2.Token{
-		AccessToken:  user.Token,
+		AccessToken:  user.AccessToken,
-		RefreshToken: user.Secret,
+		RefreshToken: user.RefreshToken,
 		Expiry:       time.Unix(user.Expiry, 0),
 	})
@ -174,15 +174,15 @@ func (c *Forgejo) Refresh(ctx context.Context, user *model.User) (bool, error) {
 		return false, err
 	}
-	user.Token = token.AccessToken
+	user.AccessToken = token.AccessToken
-	user.Secret = token.RefreshToken
+	user.RefreshToken = token.RefreshToken
 	user.Expiry = token.Expiry.UTC().Unix()
 	return true, nil
 }
 // Teams is supported by the Forgejo driver.
 func (c *Forgejo) Teams(ctx context.Context, u *model.User) ([]*model.Team, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -211,7 +211,7 @@ func (c *Forgejo) TeamPerm(_ *model.User, _ string) (*model.Perm, error) {
 // Repo returns the Forgejo repository.
 func (c *Forgejo) Repo(ctx context.Context, u *model.User, remoteID model.ForgeRemoteID, owner, name string) (*model.Repo, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -238,7 +238,7 @@ func (c *Forgejo) Repo(ctx context.Context, u *model.User, remoteID model.ForgeR
 // Repos returns a list of all repositories for the Forgejo account, including
 // organization repositories.
 func (c *Forgejo) Repos(ctx context.Context, u *model.User) ([]*model.Repo, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -267,7 +267,7 @@ func (c *Forgejo) Repos(ctx context.Context, u *model.User) ([]*model.Repo, erro
 // File fetches the file from the Forgejo repository and returns its contents.
 func (c *Forgejo) File(ctx context.Context, u *model.User, r *model.Repo, b *model.Pipeline, f string) ([]byte, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -282,7 +282,7 @@ func (c *Forgejo) File(ctx context.Context, u *model.User, r *model.Repo, b *mod
 func (c *Forgejo) Dir(ctx context.Context, u *model.User, r *model.Repo, b *model.Pipeline, f string) ([]*forge_types.FileMeta, error) {
 	var configs []*forge_types.FileMeta
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -318,7 +318,7 @@ func (c *Forgejo) Dir(ctx context.Context, u *model.User, r *model.Repo, b *mode
 // Status is supported by the Forgejo driver.
 func (c *Forgejo) Status(ctx context.Context, user *model.User, repo *model.Repo, pipeline *model.Pipeline, workflow *model.Workflow) error {
-	client, err := c.newClientToken(ctx, user.Token)
+	client, err := c.newClientToken(ctx, user.AccessToken)
 	if err != nil {
 		return err
 	}
@ -346,7 +346,7 @@ func (c *Forgejo) Netrc(u *model.User, r *model.Repo) (*model.Netrc, error) {
 	if u != nil {
 		login = u.Login
-		token = u.Token
+		token = u.AccessToken
 	}
 	host, err := common.ExtractHostFromCloneURL(r.Clone)
@ -376,7 +376,7 @@ func (c *Forgejo) Activate(ctx context.Context, u *model.User, r *model.Repo, li
 		Active: true,
 	}
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return err
 	}
@ -398,7 +398,7 @@ func (c *Forgejo) Activate(ctx context.Context, u *model.User, r *model.Repo, li
 // Deactivate deactivates the repository be removing repository push hooks from
 // the Forgejo repository.
 func (c *Forgejo) Deactivate(ctx context.Context, u *model.User, r *model.Repo, link string) error {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return err
 	}
@ -522,7 +522,7 @@ func (c *Forgejo) Hook(ctx context.Context, r *http.Request) (*model.Repo, *mode
 // OrgMembership returns if user is member of organization and if user
 // is admin/owner in this organization.
 func (c *Forgejo) OrgMembership(ctx context.Context, u *model.User, owner string) (*model.OrgPerm, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -545,7 +545,7 @@ func (c *Forgejo) OrgMembership(ctx context.Context, u *model.User, owner string
 }
 func (c *Forgejo) Org(ctx context.Context, u *model.User, owner string) (*model.Org, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -630,7 +630,7 @@ func (c *Forgejo) getChangedFilesForPR(ctx context.Context, repo *model.Repo, in
 		return nil, err
 	}
-	client, err := c.newClientToken(ctx, user.Token)
+	client, err := c.newClientToken(ctx, user.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -667,7 +667,7 @@ func (c *Forgejo) getTagCommitSHA(ctx context.Context, repo *model.Repo, tagName
 		return "", err
 	}
-	client, err := c.newClientToken(ctx, user.Token)
+	client, err := c.newClientToken(ctx, user.AccessToken)
 	if err != nil {
 		return "", err
 	}
--- a/server/forge/forgejo/forgejo_test.go
+++ b/server/forge/forgejo/forgejo_test.go
@ -69,7 +69,7 @@ func Test_forgejo(t *testing.T) {
 				netrc, _ := forge.Netrc(fakeUser, fakeRepo)
 				g.Assert(netrc.Machine).Equal("forgejo.org")
 				g.Assert(netrc.Login).Equal(fakeUser.Login)
-				g.Assert(netrc.Password).Equal(fakeUser.Token)
+				g.Assert(netrc.Password).Equal(fakeUser.AccessToken)
 			})
 			g.It("Should return a netrc with the machine account", func() {
 				forge, _ := New(Opts{})
@ -165,13 +165,13 @@ func Test_forgejo(t *testing.T) {
 var (
 	fakeUser = &model.User{
-		Login: "someuser",
+		Login:       "someuser",
-		Token: "cfcd2084",
+		AccessToken: "cfcd2084",
 	}
 	fakeUserNoRepos = &model.User{
-		Login: "someuser",
+		Login:       "someuser",
-		Token: "repos_not_found",
+		AccessToken: "repos_not_found",
 	}
 	fakeRepo = &model.Repo{
--- a/server/forge/gitea/gitea.go
+++ b/server/forge/gitea/gitea.go
@ -135,8 +135,8 @@ func (c *Gitea) Login(ctx context.Context, req *forge_types.OAuthRequest) (*mode
 	}
 	return &model.User{
-		Token:         token.AccessToken,
+		AccessToken:   token.AccessToken,
-		Secret:        token.RefreshToken,
+		RefreshToken:  token.RefreshToken,
 		Expiry:        token.Expiry.UTC().Unix(),
 		Login:         account.UserName,
 		Email:         account.Email,
@ -166,8 +166,8 @@ func (c *Gitea) Refresh(ctx context.Context, user *model.User) (bool, error) {
 	config.RedirectURL = ""
 	source := config.TokenSource(oauth2Ctx, &oauth2.Token{
-		AccessToken:  user.Token,
+		AccessToken:  user.AccessToken,
-		RefreshToken: user.Secret,
+		RefreshToken: user.RefreshToken,
 		Expiry:       time.Unix(user.Expiry, 0),
 	})
@ -176,15 +176,15 @@ func (c *Gitea) Refresh(ctx context.Context, user *model.User) (bool, error) {
 		return false, err
 	}
-	user.Token = token.AccessToken
+	user.AccessToken = token.AccessToken
-	user.Secret = token.RefreshToken
+	user.RefreshToken = token.RefreshToken
 	user.Expiry = token.Expiry.UTC().Unix()
 	return true, nil
 }
 // Teams is supported by the Gitea driver.
 func (c *Gitea) Teams(ctx context.Context, u *model.User) ([]*model.Team, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -213,7 +213,7 @@ func (c *Gitea) TeamPerm(_ *model.User, _ string) (*model.Perm, error) {
 // Repo returns the Gitea repository.
 func (c *Gitea) Repo(ctx context.Context, u *model.User, remoteID model.ForgeRemoteID, owner, name string) (*model.Repo, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -240,7 +240,7 @@ func (c *Gitea) Repo(ctx context.Context, u *model.User, remoteID model.ForgeRem
 // Repos returns a list of all repositories for the Gitea account, including
 // organization repositories.
 func (c *Gitea) Repos(ctx context.Context, u *model.User) ([]*model.Repo, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -269,7 +269,7 @@ func (c *Gitea) Repos(ctx context.Context, u *model.User) ([]*model.Repo, error)
 // File fetches the file from the Gitea repository and returns its contents.
 func (c *Gitea) File(ctx context.Context, u *model.User, r *model.Repo, b *model.Pipeline, f string) ([]byte, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -284,7 +284,7 @@ func (c *Gitea) File(ctx context.Context, u *model.User, r *model.Repo, b *model
 func (c *Gitea) Dir(ctx context.Context, u *model.User, r *model.Repo, b *model.Pipeline, f string) ([]*forge_types.FileMeta, error) {
 	var configs []*forge_types.FileMeta
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -320,7 +320,7 @@ func (c *Gitea) Dir(ctx context.Context, u *model.User, r *model.Repo, b *model.
 // Status is supported by the Gitea driver.
 func (c *Gitea) Status(ctx context.Context, user *model.User, repo *model.Repo, pipeline *model.Pipeline, workflow *model.Workflow) error {
-	client, err := c.newClientToken(ctx, user.Token)
+	client, err := c.newClientToken(ctx, user.AccessToken)
 	if err != nil {
 		return err
 	}
@ -348,7 +348,7 @@ func (c *Gitea) Netrc(u *model.User, r *model.Repo) (*model.Netrc, error) {
 	if u != nil {
 		login = u.Login
-		token = u.Token
+		token = u.AccessToken
 	}
 	host, err := common.ExtractHostFromCloneURL(r.Clone)
@ -378,7 +378,7 @@ func (c *Gitea) Activate(ctx context.Context, u *model.User, r *model.Repo, link
 		Active: true,
 	}
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return err
 	}
@ -400,7 +400,7 @@ func (c *Gitea) Activate(ctx context.Context, u *model.User, r *model.Repo, link
 // Deactivate deactivates the repository be removing repository push hooks from
 // the Gitea repository.
 func (c *Gitea) Deactivate(ctx context.Context, u *model.User, r *model.Repo, link string) error {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return err
 	}
@ -529,7 +529,7 @@ func (c *Gitea) Hook(ctx context.Context, r *http.Request) (*model.Repo, *model.
 // OrgMembership returns if user is member of organization and if user
 // is admin/owner in this organization.
 func (c *Gitea) OrgMembership(ctx context.Context, u *model.User, owner string) (*model.OrgPerm, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -552,7 +552,7 @@ func (c *Gitea) OrgMembership(ctx context.Context, u *model.User, owner string)
 }
 func (c *Gitea) Org(ctx context.Context, u *model.User, owner string) (*model.Org, error) {
-	client, err := c.newClientToken(ctx, u.Token)
+	client, err := c.newClientToken(ctx, u.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -637,7 +637,7 @@ func (c *Gitea) getChangedFilesForPR(ctx context.Context, repo *model.Repo, inde
 		return nil, err
 	}
-	client, err := c.newClientToken(ctx, user.Token)
+	client, err := c.newClientToken(ctx, user.AccessToken)
 	if err != nil {
 		return nil, err
 	}
@ -674,7 +674,7 @@ func (c *Gitea) getTagCommitSHA(ctx context.Context, repo *model.Repo, tagName s
 		return "", err
 	}
-	client, err := c.newClientToken(ctx, user.Token)
+	client, err := c.newClientToken(ctx, user.AccessToken)
 	if err != nil {
 		return "", err
 	}
--- a/server/forge/gitea/gitea_test.go
+++ b/server/forge/gitea/gitea_test.go
@ -70,7 +70,7 @@ func Test_gitea(t *testing.T) {
 				netrc, _ := forge.Netrc(fakeUser, fakeRepo)
 				g.Assert(netrc.Machine).Equal("gitea.com")
 				g.Assert(netrc.Login).Equal(fakeUser.Login)
-				g.Assert(netrc.Password).Equal(fakeUser.Token)
+				g.Assert(netrc.Password).Equal(fakeUser.AccessToken)
 			})
 			g.It("Should return a netrc with the machine account", func() {
 				forge, _ := New(Opts{})
@ -166,13 +166,13 @@ func Test_gitea(t *testing.T) {
 var (
 	fakeUser = &model.User{
-		Login: "someuser",
+		Login:       "someuser",
-		Token: "cfcd2084",
+		AccessToken: "cfcd2084",
 	}
 	fakeUserNoRepos = &model.User{
-		Login: "someuser",
+		Login:       "someuser",
-		Token: "repos_not_found",
+		AccessToken: "repos_not_found",
 	}
 	fakeRepo = &model.Repo{
--- a/server/forge/github/github.go
+++ b/server/forge/github/github.go
@ -25,6 +25,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/google/go-github/v66/github"
 	"github.com/rs/zerolog/log"
@ -133,7 +134,9 @@ func (c *client) Login(ctx context.Context, req *forge_types.OAuthRequest) (*mod
 	return &model.User{
 		Login:         user.GetLogin(),
 		Email:         email.GetEmail(),
-		Token:         token.AccessToken,
+		AccessToken:   token.AccessToken,
 		RefreshToken:  token.RefreshToken,
 		Expiry:        token.Expiry.UTC().Unix(),
 		Avatar:        user.GetAvatarURL(),
 		ForgeRemoteID: model.ForgeRemoteID(fmt.Sprint(user.GetID())),
 	}, redirectURL, nil
@ -149,9 +152,36 @@ func (c *client) Auth(ctx context.Context, token, _ string) (string, error) {
 	return *user.Login, nil
 }
 // Refresh refreshes the Gitlab oauth2 access token. If the token is
 // refreshed the user is updated and a true value is returned.
 func (c *client) Refresh(ctx context.Context, user *model.User) (bool, error) {
 	// when using Github oAuth app no refresh token is provided
 	if user.RefreshToken == "" {
 		return false, nil
 	}
 	config := c.newConfig()
 	source := config.TokenSource(ctx, &oauth2.Token{
 		AccessToken:  user.AccessToken,
 		RefreshToken: user.RefreshToken,
 		Expiry:       time.Unix(user.Expiry, 0),
 	})
 	token, err := source.Token()
 	if err != nil || len(token.AccessToken) == 0 {
 		return false, err
 	}
 	user.AccessToken = token.AccessToken
 	user.RefreshToken = token.RefreshToken
 	user.Expiry = token.Expiry.UTC().Unix()
 	return true, nil
 }
 // Teams returns a list of all team membership for the GitHub account.
 func (c *client) Teams(ctx context.Context, u *model.User) ([]*model.Team, error) {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	opts := new(github.ListOptions)
 	opts.Page = 1
@ -170,7 +200,7 @@ func (c *client) Teams(ctx context.Context, u *model.User) ([]*model.Team, error
 // Repo returns the GitHub repository.
 func (c *client) Repo(ctx context.Context, u *model.User, id model.ForgeRemoteID, owner, name string) (*model.Repo, error) {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	if id.IsValid() {
 		intID, err := strconv.ParseInt(string(id), 10, 64)
@ -194,7 +224,7 @@ func (c *client) Repo(ctx context.Context, u *model.User, id model.ForgeRemoteID
 // Repos returns a list of all repositories for GitHub account, including
 // organization repositories.
 func (c *client) Repos(ctx context.Context, u *model.User) ([]*model.Repo, error) {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	opts := new(github.RepositoryListByAuthenticatedUserOptions)
 	opts.PerPage = 100
@ -219,7 +249,7 @@ func (c *client) Repos(ctx context.Context, u *model.User) ([]*model.Repo, error
 // File fetches the file from the GitHub repository and returns its contents.
 func (c *client) File(ctx context.Context, u *model.User, r *model.Repo, b *model.Pipeline, f string) ([]byte, error) {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	opts := new(github.RepositoryContentGetOptions)
 	opts.Ref = b.Commit
@ -238,7 +268,7 @@ func (c *client) File(ctx context.Context, u *model.User, r *model.Repo, b *mode
 }
 func (c *client) Dir(ctx context.Context, u *model.User, r *model.Repo, b *model.Pipeline, f string) ([]*forge_types.FileMeta, error) {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	opts := new(github.RepositoryContentGetOptions)
 	opts.Ref = b.Commit
@ -317,7 +347,7 @@ func (c *client) Netrc(u *model.User, r *model.Repo) (*model.Netrc, error) {
 	token := ""
 	if u != nil {
-		login = u.Token
+		login = u.AccessToken
 		token = "x-oauth-basic"
 	}
@ -336,7 +366,7 @@ func (c *client) Netrc(u *model.User, r *model.Repo) (*model.Netrc, error) {
 // Deactivate deactivates the repository be removing registered push hooks from
 // the GitHub repository.
 func (c *client) Deactivate(ctx context.Context, u *model.User, r *model.Repo, link string) error {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	hooks, _, err := client.Repositories.ListHooks(ctx, r.Owner, r.Name, nil)
 	if err != nil {
 		return err
@ -352,7 +382,7 @@ func (c *client) Deactivate(ctx context.Context, u *model.User, r *model.Repo, l
 // OrgMembership returns if user is member of organization and if user
 // is admin/owner in this organization.
 func (c *client) OrgMembership(ctx context.Context, u *model.User, owner string) (*model.OrgPerm, error) {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	org, _, err := client.Organizations.GetOrgMembership(ctx, u.Login, owner)
 	if err != nil {
 		return nil, err
@ -362,7 +392,7 @@ func (c *client) OrgMembership(ctx context.Context, u *model.User, owner string)
 }
 func (c *client) Org(ctx context.Context, u *model.User, owner string) (*model.Org, error) {
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	user, _, err := client.Users.Get(ctx, owner)
 	log.Trace().Msgf("GitHub user for owner %s = %v", owner, user)
@ -487,7 +517,7 @@ var reDeploy = regexp.MustCompile(`.+/deployments/(\d+)`)
 // Status sends the commit status to the forge.
 // An example would be the GitHub pull request status.
 func (c *client) Status(ctx context.Context, user *model.User, repo *model.Repo, pipeline *model.Pipeline, workflow *model.Workflow) error {
-	client := c.newClientToken(ctx, user.Token)
+	client := c.newClientToken(ctx, user.AccessToken)
 	if pipeline.Event == model.EventDeploy {
 		// Get id from url. If not found, skip.
@ -521,7 +551,7 @@ func (c *client) Activate(ctx context.Context, u *model.User, r *model.Repo, lin
 	if err := c.Deactivate(ctx, u, r, link); err != nil {
 		return err
 	}
-	client := c.newClientToken(ctx, u.Token)
+	client := c.newClientToken(ctx, u.AccessToken)
 	hook := &github.Hook{
 		Name: github.String("web"),
 		Events: []string{
@ -618,7 +648,7 @@ func (c *client) loadChangedFilesFromPullRequest(ctx context.Context, pull *gith
 		opts := &github.ListOptions{Page: page}
 		fileList := make([]string, 0, 16)
 		for opts.Page > 0 {
-			files, resp, err := c.newClientToken(ctx, user.Token).PullRequests.ListFiles(ctx, repo.Owner, repo.Name, pull.GetNumber(), opts)
+			files, resp, err := c.newClientToken(ctx, user.AccessToken).PullRequests.ListFiles(ctx, repo.Owner, repo.Name, pull.GetNumber(), opts)
 			if err != nil {
 				return nil, err
 			}
@ -652,7 +682,7 @@ func (c *client) getTagCommitSHA(ctx context.Context, repo *model.Repo, tagName
 		return "", err
 	}
-	gh := c.newClientToken(ctx, user.Token)
+	gh := c.newClientToken(ctx, user.AccessToken)
 	page := 1
 	var tag *github.RepositoryTag
--- a/server/forge/github/github_test.go
+++ b/server/forge/github/github_test.go
@ -65,7 +65,7 @@ func Test_github(t *testing.T) {
 				forge, _ := New(Opts{})
 				netrc, _ := forge.Netrc(fakeUser, fakeRepo)
 				g.Assert(netrc.Machine).Equal("github.com")
-				g.Assert(netrc.Login).Equal(fakeUser.Token)
+				g.Assert(netrc.Login).Equal(fakeUser.AccessToken)
 				g.Assert(netrc.Password).Equal("x-oauth-basic")
 			})
 			g.It("Should return a netrc with the machine account", func() {
@ -115,8 +115,8 @@ func Test_github(t *testing.T) {
 var (
 	fakeUser = &model.User{
-		Login: "octocat",
+		Login:       "octocat",
-		Token: "cfcd2084",
+		AccessToken: "cfcd2084",
 	}
 	fakeRepo = &model.Repo{
--- a/server/forge/gitlab/gitlab.go
+++ b/server/forge/gitlab/gitlab.go
@ -142,8 +142,9 @@ func (g *GitLab) Login(ctx context.Context, req *forge_types.OAuthRequest) (*mod
 		Email:         login.Email,
 		Avatar:        login.AvatarURL,
 		ForgeRemoteID: model.ForgeRemoteID(fmt.Sprint(login.ID)),
-		Token:         token.AccessToken,
+		AccessToken:   token.AccessToken,
-		Secret:        token.RefreshToken,
+		RefreshToken:  token.RefreshToken,
 		Expiry:        token.Expiry.UTC().Unix(),
 	}
 	if !strings.HasPrefix(user.Avatar, "http") {
 		user.Avatar = g.url + "/" + login.AvatarURL
@ -159,8 +160,8 @@ func (g *GitLab) Refresh(ctx context.Context, user *model.User) (bool, error) {
 	config.RedirectURL = ""
 	source := config.TokenSource(oauth2Ctx, &oauth2.Token{
-		AccessToken:  user.Token,
+		AccessToken:  user.AccessToken,
-		RefreshToken: user.Secret,
+		RefreshToken: user.RefreshToken,
 		Expiry:       time.Unix(user.Expiry, 0),
 	})
@ -169,8 +170,8 @@ func (g *GitLab) Refresh(ctx context.Context, user *model.User) (bool, error) {
 		return false, err
 	}
-	user.Token = token.AccessToken
+	user.AccessToken = token.AccessToken
-	user.Secret = token.RefreshToken
+	user.RefreshToken = token.RefreshToken
 	user.Expiry = token.Expiry.UTC().Unix()
 	return true, nil
 }
@ -191,7 +192,7 @@ func (g *GitLab) Auth(ctx context.Context, token, _ string) (string, error) {
 // Teams fetches a list of team memberships from the forge.
 func (g *GitLab) Teams(ctx context.Context, user *model.User) ([]*model.Team, error) {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
@ -260,7 +261,7 @@ func (g *GitLab) getInheritedProjectMember(ctx context.Context, client *gitlab.C
 // Repo fetches the repository from the forge.
 func (g *GitLab) Repo(ctx context.Context, user *model.User, remoteID model.ForgeRemoteID, owner, name string) (*model.Repo, error) {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
@ -285,7 +286,7 @@ func (g *GitLab) Repo(ctx context.Context, user *model.User, remoteID model.Forg
 // Repos fetches a list of repos from the forge.
 func (g *GitLab) Repos(ctx context.Context, user *model.User) ([]*model.Repo, error) {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
@ -365,7 +366,7 @@ func (g *GitLab) PullRequests(ctx context.Context, u *model.User, r *model.Repo,
 // File fetches a file from the forge repository and returns in string format.
 func (g *GitLab) File(ctx context.Context, user *model.User, repo *model.Repo, pipeline *model.Pipeline, fileName string) ([]byte, error) {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
@ -382,7 +383,7 @@ func (g *GitLab) File(ctx context.Context, user *model.User, repo *model.Repo, p
 // Dir fetches a folder from the forge repository.
 func (g *GitLab) Dir(ctx context.Context, user *model.User, repo *model.Repo, pipeline *model.Pipeline, path string) ([]*forge_types.FileMeta, error) {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
@ -434,7 +435,7 @@ func (g *GitLab) Dir(ctx context.Context, user *model.User, repo *model.Repo, pi
 // Status sends the commit status back to gitlab.
 func (g *GitLab) Status(ctx context.Context, user *model.User, repo *model.Repo, pipeline *model.Pipeline, workflow *model.Workflow) error {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return err
 	}
@ -463,7 +464,7 @@ func (g *GitLab) Netrc(u *model.User, r *model.Repo) (*model.Netrc, error) {
 	if u != nil {
 		login = "oauth2"
-		token = u.Token
+		token = u.AccessToken
 	}
 	host, err := common.ExtractHostFromCloneURL(r.Clone)
@ -491,7 +492,7 @@ func (g *GitLab) getTokenAndWebURL(link string) (token, webURL string, err error
 // Activate activates a repository by adding a Post-commit hook and
 // a Public Deploy key, if applicable.
 func (g *GitLab) Activate(ctx context.Context, user *model.User, repo *model.Repo, link string) error {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return err
 	}
@ -526,7 +527,7 @@ func (g *GitLab) Activate(ctx context.Context, user *model.User, repo *model.Rep
 // Deactivate removes a repository by removing all the post-commit hooks
 // which are equal to link and removing the SSH deploy key.
 func (g *GitLab) Deactivate(ctx context.Context, user *model.User, repo *model.Repo, link string) error {
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return err
 	}
@ -671,7 +672,7 @@ func (g *GitLab) Hook(ctx context.Context, req *http.Request) (*model.Repo, *mod
 // OrgMembership returns if user is member of organization and if user
 // is admin/owner in this organization.
 func (g *GitLab) OrgMembership(ctx context.Context, u *model.User, owner string) (*model.OrgPerm, error) {
-	client, err := newClient(g.url, u.Token, g.SkipVerify)
+	client, err := newClient(g.url, u.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
@ -725,7 +726,7 @@ func (g *GitLab) OrgMembership(ctx context.Context, u *model.User, owner string)
 }
 func (g *GitLab) Org(ctx context.Context, u *model.User, owner string) (*model.Org, error) {
-	client, err := newClient(g.url, u.Token, g.SkipVerify)
+	client, err := newClient(g.url, u.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
@ -783,7 +784,7 @@ func (g *GitLab) loadChangedFilesFromMergeRequest(ctx context.Context, tmpRepo *
 		return nil, err
 	}
-	client, err := newClient(g.url, user.Token, g.SkipVerify)
+	client, err := newClient(g.url, user.AccessToken, g.SkipVerify)
 	if err != nil {
 		return nil, err
 	}
--- a/server/forge/gitlab/gitlab_test.go
+++ b/server/forge/gitlab/gitlab_test.go
@ -60,7 +60,7 @@ func Test_GitLab(t *testing.T) {
 	user := model.User{
 		Login:         "test_user",
-		Token:         "e3b0c44298fc1c149afbf4c8996fb",
+		AccessToken:   "e3b0c44298fc1c149afbf4c8996fb",
 		ForgeRemoteID: "3",
 	}
--- a/server/model/user.go
+++ b/server/model/user.go
@ -43,13 +43,13 @@ type User struct {
 	// required: true
 	Login string `json:"login"  xorm:"UNIQUE 'login'"`
-	// Token is the oauth2 token.
+	// AccessToken is the oauth2 access token.
-	Token string `json:"-"  xorm:"TEXT 'token'"`
+	AccessToken string `json:"-"  xorm:"TEXT 'token'"`
-	// Secret is the oauth2 token secret.
+	// RefreshToken is the oauth2 refresh token.
-	Secret string `json:"-" xorm:"TEXT 'secret'"`
+	RefreshToken string `json:"-" xorm:"TEXT 'secret'"`
-	// Expiry is the token and secret expiration timestamp.
+	// Expiry is the AccessToken expiration timestamp (unix seconds).
 	Expiry int64 `json:"-" xorm:"expiry"`
 	// Email is the email address for this user.
--- a/server/services/config/combined_test.go
+++ b/server/services/config/combined_test.go
@ -220,7 +220,7 @@ func TestFetchFromConfigService(t *testing.T) {
 			files, err := configFetcher.Fetch(
 				context.Background(),
 				f,
-				&model.User{Token: "xxx"},
+				&model.User{AccessToken: "xxx"},
 				repo,
 				&model.Pipeline{Commit: "89ab7b2d6bfb347144ac7c557e638ab402848fee"},
 				[]*forge_types.FileMeta{},
--- a/server/services/config/forge_test.go
+++ b/server/services/config/forge_test.go
@ -312,7 +312,7 @@ func TestFetch(t *testing.T) {
 			files, err := configFetcher.Fetch(
 				context.Background(),
 				f,
-				&model.User{Token: "xxx"},
+				&model.User{AccessToken: "xxx"},
 				repo,
 				&model.Pipeline{Commit: "89ab7b2d6bfb347144ac7c557e638ab402848fee"},
 				nil,
--- a/server/store/datastore/feed_test.go
+++ b/server/store/datastore/feed_test.go
@ -27,9 +27,9 @@ func TestGetPipelineQueue(t *testing.T) {
 	defer closer()
 	user := &model.User{
-		Login: "joe",
+		Login:       "joe",
-		Email: "foo@bar.com",
+		Email:       "foo@bar.com",
-		Token: "e42080dddf012c718e476da161d21ad5",
+		AccessToken: "e42080dddf012c718e476da161d21ad5",
 	}
 	assert.NoError(t, store.CreateUser(user))
@ -63,9 +63,9 @@ func TestUserFeed(t *testing.T) {
 	defer closer()
 	user := &model.User{
-		Login: "joe",
+		Login:       "joe",
-		Email: "foo@bar.com",
+		Email:       "foo@bar.com",
-		Token: "e42080dddf012c718e476da161d21ad5",
+		AccessToken: "e42080dddf012c718e476da161d21ad5",
 	}
 	assert.NoError(t, store.CreateUser(user))
@ -109,9 +109,9 @@ func TestRepoListLatest(t *testing.T) {
 	defer closer()
 	user := &model.User{
-		Login: "joe",
+		Login:       "joe",
-		Email: "foo@bar.com",
+		Email:       "foo@bar.com",
-		Token: "e42080dddf012c718e476da161d21ad5",
+		AccessToken: "e42080dddf012c718e476da161d21ad5",
 	}
 	assert.NoError(t, store.CreateUser(user))
--- a/server/store/datastore/repo_test.go
+++ b/server/store/datastore/repo_test.go
@ -165,9 +165,9 @@ func TestRepoList(t *testing.T) {
 	defer closer()
 	user := &model.User{
-		Login: "joe",
+		Login:       "joe",
-		Email: "foo@bar.com",
+		Email:       "foo@bar.com",
-		Token: "e42080dddf012c718e476da161d21ad5",
+		AccessToken: "e42080dddf012c718e476da161d21ad5",
 	}
 	assert.NoError(t, store.CreateUser(user))
@ -212,9 +212,9 @@ func TestOwnedRepoList(t *testing.T) {
 	defer closer()
 	user := &model.User{
-		Login: "joe",
+		Login:       "joe",
-		Email: "foo@bar.com",
+		Email:       "foo@bar.com",
-		Token: "e42080dddf012c718e476da161d21ad5",
+		AccessToken: "e42080dddf012c718e476da161d21ad5",
 	}
 	assert.NoError(t, store.CreateUser(user))
--- a/server/store/datastore/users_test.go
+++ b/server/store/datastore/users_test.go
@ -46,9 +46,9 @@ func TestUsers(t *testing.T) {
 		g.It("Should Update a User", func() {
 			user := model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
 			}
 			err1 := store.CreateUser(&user)
 			err2 := store.UpdateUser(&user)
@ -61,9 +61,9 @@ func TestUsers(t *testing.T) {
 		g.It("Should Add a new User", func() {
 			user := model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
 			}
 			err := store.CreateUser(&user)
 			g.Assert(err).IsNil()
@ -72,11 +72,11 @@ func TestUsers(t *testing.T) {
 		g.It("Should Get a User", func() {
 			user := &model.User{
-				Login:  "joe",
+				Login:        "joe",
-				Token:  "f0b461ca586c27872b43a0685cbc2847",
+				AccessToken:  "f0b461ca586c27872b43a0685cbc2847",
-				Secret: "976f22a5eef7caacb7e678d6c52f49b1",
+				RefreshToken: "976f22a5eef7caacb7e678d6c52f49b1",
-				Email:  "foo@bar.com",
+				Email:        "foo@bar.com",
-				Avatar: "b9015b0857e16ac4d94a0ffd9a0b79c8",
+				Avatar:       "b9015b0857e16ac4d94a0ffd9a0b79c8",
 			}
 			g.Assert(store.CreateUser(user)).IsNil()
@ -84,17 +84,17 @@ func TestUsers(t *testing.T) {
 			g.Assert(err).IsNil()
 			g.Assert(user.ID).Equal(getUser.ID)
 			g.Assert(user.Login).Equal(getUser.Login)
-			g.Assert(user.Token).Equal(getUser.Token)
+			g.Assert(user.AccessToken).Equal(getUser.AccessToken)
-			g.Assert(user.Secret).Equal(getUser.Secret)
+			g.Assert(user.RefreshToken).Equal(getUser.RefreshToken)
 			g.Assert(user.Email).Equal(getUser.Email)
 			g.Assert(user.Avatar).Equal(getUser.Avatar)
 		})
 		g.It("Should Get a User By Login", func() {
 			user := &model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
 			}
 			g.Assert(store.CreateUser(user))
 			getUser, err := store.GetUserLogin(user.Login)
@ -105,14 +105,14 @@ func TestUsers(t *testing.T) {
 		g.It("Should Enforce Unique User Login", func() {
 			user1 := model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
 			}
 			user2 := model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "ab20g0ddaf012c744e136da16aa21ad9",
+				AccessToken: "ab20g0ddaf012c744e136da16aa21ad9",
 			}
 			err1 := store.CreateUser(&user1)
 			err2 := store.CreateUser(&user2)
@ -122,15 +122,15 @@ func TestUsers(t *testing.T) {
 		g.It("Should Get a User List", func() {
 			user1 := model.User{
-				Login: "jane",
+				Login:       "jane",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "ab20g0ddaf012c744e136da16aa21ad9",
+				AccessToken: "ab20g0ddaf012c744e136da16aa21ad9",
-				Hash:  "A",
+				Hash:        "A",
 			}
 			user2 := model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
 			}
 			g.Assert(store.CreateUser(&user1)).IsNil()
 			g.Assert(store.CreateUser(&user2)).IsNil()
@ -139,21 +139,21 @@ func TestUsers(t *testing.T) {
 			g.Assert(len(users)).Equal(2)
 			g.Assert(users[0].Login).Equal(user1.Login)
 			g.Assert(users[0].Email).Equal(user1.Email)
-			g.Assert(users[0].Token).Equal(user1.Token)
+			g.Assert(users[0].AccessToken).Equal(user1.AccessToken)
 		})
 		g.It("Should Get a User Count", func() {
 			user1 := model.User{
-				Login: "jane",
+				Login:       "jane",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "ab20g0ddaf012c744e136da16aa21ad9",
+				AccessToken: "ab20g0ddaf012c744e136da16aa21ad9",
-				Hash:  "A",
+				Hash:        "A",
 			}
 			user2 := model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
-				Hash:  "B",
+				Hash:        "B",
 			}
 			g.Assert(store.CreateUser(&user1)).IsNil()
 			g.Assert(store.CreateUser(&user2)).IsNil()
@ -170,9 +170,9 @@ func TestUsers(t *testing.T) {
 		g.It("Should Del a User", func() {
 			user := &model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
 			}
 			g.Assert(store.CreateUser(user)).IsNil()
 			user, err1 := store.GetUser(user.ID)
@ -185,9 +185,9 @@ func TestUsers(t *testing.T) {
 		g.It("Should get the Pipeline feed for a User", func() {
 			user := &model.User{
-				Login: "joe",
+				Login:       "joe",
-				Email: "foo@bar.com",
+				Email:       "foo@bar.com",
-				Token: "e42080dddf012c718e476da161d21ad5",
+				AccessToken: "e42080dddf012c718e476da161d21ad5",
 			}
 			g.Assert(store.CreateUser(user)).IsNil()