Only save token on successful customer create

ee/app/services/subscriptions/create_service.rb

@@ -18,6 +18,8 @@ module Subscriptions
 
       return response unless response[:success]
 
+      oauth_token&.save
+
       # We can't use an email from GL.com because it may differ from the billing email.
       # Instead we use the email received from the CustomersDot as a billing email.
       customer_data = response.with_indifferent_access[:data][:customer]
@@ -45,7 +47,7 @@ module Subscriptions
 
     def credentials_attrs
       {
-        token: oauth_token
+        token: oauth_token&.token
       }
     end
 
@@ -101,18 +103,21 @@ module Subscriptions
     end
 
     def oauth_token
-      return unless customers_oauth_app_id
+      @oauth_token ||= begin
+        return unless customers_oauth_app_id
 
-      application = Doorkeeper::Application.find_by_uid(customers_oauth_app_id)
-      existing_token = Doorkeeper::AccessToken.matching_token_for(application, current_user.id, application.scopes)
+        application = Doorkeeper::Application.find_by_uid(customers_oauth_app_id)
+        existing_token = Doorkeeper::AccessToken.matching_token_for(application, current_user.id, application.scopes)
 
-      return existing_token if existing_token
+        return existing_token if existing_token
 
-      Doorkeeper::AccessToken.create!(
-        application_id: customers_oauth_app_id,
-        resource_owner_id: current_user.id,
-        scopes: application.scopes.to_s
-      ).token
+        Doorkeeper::AccessToken.new(
+          application_id: customers_oauth_app_id,
+          resource_owner_id: current_user.id,
+          token: Doorkeeper::OAuth::Helpers::UniqueToken.generate,
+          scopes: application.scopes.to_s
+        )
+      end
     end
   end
 end

ee/spec/fixtures/create_service_params.json

@@ -2,7 +2,9 @@
   "customer": {
     "provider": "gitlab",
     "uid": 111,
-    "credentials": {},
+    "credentials": {
+      "token": "foo_token"
+    },
     "customer": {
       "country": "NLD",
       "address_1": "Address line 1",

ee/spec/services/subscriptions/create_service_spec.rb

@@ -7,6 +7,7 @@ RSpec.describe Subscriptions::CreateService do
 
   let_it_be(:user) { create(:user, id: 111, first_name: 'First name', last_name: 'Last name', email: 'first.last@gitlab.com') }
   let_it_be(:group) { create(:group, id: 222, name: 'Group name') }
+  let_it_be(:oauth_app) { create(:oauth_application) }
 
   let_it_be(:customer_params) do
     {
@@ -33,6 +34,11 @@ RSpec.describe Subscriptions::CreateService do
   let_it_be(:create_service_params) { Gitlab::Json.parse(fixture_file('create_service_params.json', dir: 'ee')).deep_symbolize_keys }
 
   describe '#execute' do
+    before do
+      allow(client).to receive(:customers_oauth_app_id).and_return( { data: { 'customers_oauth_app_id' => oauth_app.uid } } )
+      allow(Doorkeeper::OAuth::Helpers::UniqueToken).to receive(:generate).and_return('foo_token')
+    end
+
     context 'when failing to create a customer' do
       before do
         allow(client).to receive(:create_customer).and_return(success: false, data: { errors: 'failed to create customer' })
@@ -41,6 +47,10 @@ RSpec.describe Subscriptions::CreateService do
       it 'returns the response hash' do
         expect(execute).to eq(success: false, data: { errors: 'failed to create customer' })
       end
+
+      it 'does not save oauth token' do
+        expect { execute }.not_to change { Doorkeeper::AccessToken.count }
+      end
     end
 
     context 'when successfully creating a customer' do
@@ -57,6 +67,10 @@ RSpec.describe Subscriptions::CreateService do
         execute
       end
 
+      it 'saves oauth token' do
+        expect { execute }.to change { Doorkeeper::AccessToken.count }.by(1)
+      end
+
       context 'when failing to create a subscription' do
         before do
           allow(client).to receive(:create_subscription).and_return(success: false, data: { errors: 'failed to create subscription' })