Use oauth_app id instead of uid

Fix to use oauth application internal id instead of uid

Changelog: security
EE: true

ee/app/services/subscriptions/create_service.rb

@@ -6,7 +6,7 @@ module Subscriptions
 
     attr_reader :current_user, :customer_params, :subscription_params
 
-    CUSTOMERS_OAUTH_APP_ID_CACHE_KEY = 'customers_oauth_app_id'
+    CUSTOMERS_OAUTH_APP_UID_CACHE_KEY = 'customers_oauth_app_uid'
 
     def initialize(current_user, group:, customer_params:, subscription_params:)
       @current_user = current_user
@@ -97,9 +97,9 @@ module Subscriptions
       Gitlab::SubscriptionPortal::Client
     end
 
-    def customers_oauth_app_id
-      Rails.cache.fetch(CUSTOMERS_OAUTH_APP_ID_CACHE_KEY, expires_in: 1.hour) do
-        response = client.customers_oauth_app_id
+    def customers_oauth_app_uid
+      Rails.cache.fetch(CUSTOMERS_OAUTH_APP_UID_CACHE_KEY, expires_in: 1.hour) do
+        response = client.customers_oauth_app_uid
 
         response.dig(:data, 'oauth_app_id')
       end
@@ -107,15 +107,15 @@ module Subscriptions
 
     def oauth_token
       strong_memoize(:oauth_token) do
-        next unless customers_oauth_app_id
+        next unless customers_oauth_app_uid
 
-        application = Doorkeeper::Application.find_by_uid(customers_oauth_app_id)
+        application = Doorkeeper::Application.find_by_uid(customers_oauth_app_uid)
         existing_token = Doorkeeper::AccessToken.matching_token_for(application, current_user.id, application.scopes)
 
         next existing_token if existing_token
 
         Doorkeeper::AccessToken.new(
-          application_id: customers_oauth_app_id,
+          application_id: application.id,
           resource_owner_id: current_user.id,
           token: Doorkeeper::OAuth::Helpers::UniqueToken.generate,
           scopes: application.scopes.to_s

ee/lib/gitlab/subscription_portal/clients/rest.rb

@@ -33,7 +33,7 @@ module Gitlab
             http_get("api/payment_methods/#{id}", admin_headers)
           end
 
-          def customers_oauth_app_id
+          def customers_oauth_app_uid
             http_get("api/v1/oauth_app_id", admin_headers)
           end
 

ee/spec/lib/gitlab/subscription_portal/clients/rest_spec.rb

@@ -125,9 +125,9 @@ RSpec.describe Gitlab::SubscriptionPortal::Clients::Rest do
     it_behaves_like 'when http call raises an exception'
   end
 
-  describe '#customers_oauth_app_id' do
+  describe '#customers_oauth_app_uid' do
     subject do
-      client.customers_oauth_app_id
+      client.customers_oauth_app_uid
     end
 
     let(:http_method) { :get }

ee/spec/services/subscriptions/create_service_spec.rb

@@ -36,7 +36,7 @@ RSpec.describe Subscriptions::CreateService do
 
   describe '#execute' do
     before do
-      allow(client).to receive(:customers_oauth_app_id).and_return( { data: { 'oauth_app_id' => oauth_app.uid } } )
+      allow(client).to receive(:customers_oauth_app_uid).and_return( data: { 'oauth_app_id' => oauth_app.uid })
       allow(Doorkeeper::OAuth::Helpers::UniqueToken).to receive(:generate).and_return('foo_token')
     end
 
@@ -74,6 +74,14 @@ RSpec.describe Subscriptions::CreateService do
         expect { execute }.to change { Doorkeeper::AccessToken.count }.by(1)
       end
 
+      it 'creates oauth token with correct application id' do
+        execute
+
+        created_oauth_token = Doorkeeper::AccessToken.find_by_token('foo_token')
+
+        expect(created_oauth_token.application_id).to eq(oauth_app.id)
+      end
+
       context 'when failing to create a subscription' do
         before do
           allow(client).to receive(:create_subscription).and_return(success: false, data: { errors: 'failed to create subscription' })