Move validation hook to creation: avoids having to check scope validity in before hook

app/models/carto/api_key.rb

@@ -143,8 +143,8 @@ module Carto
       )
     end
 
-    def self.build_oauth_key(user: Carto::User.find(scope_attributes['user_id']), name:, grants:)
-      new(
+    def self.create_oauth_key!(user: Carto::User.find(scope_attributes['user_id']), name:, grants:)
+      create!(
         user: user,
         type: TYPE_OAUTH,
         name: name,

app/models/carto/oauth_access_token.rb

@@ -16,7 +16,7 @@ module Carto
 
     validates :scopes, scopes: true
 
-    before_validation :ensure_api_key
+    before_create :create_api_key
     after_create :rename_api_key
 
     scope :expired, -> { where('created_at < ?', Time.now - ACCESS_TOKEN_EXPIRATION_TIME) }
@@ -27,11 +27,11 @@ module Carto
 
     private
 
-    def ensure_api_key
+    def create_api_key
       grants = [{ type: 'apis', apis: [] }]
       scopes.each { |s| SCOPES_BY_NAME[s].add_to_api_key_grants(grants) }
 
-      self.api_key ||= oauth_app_user.user.api_keys.build_oauth_key(
+      self.api_key = oauth_app_user.user.api_keys.create_oauth_key!(
         name: "oauth_authorization #{SecureRandom.uuid}",
         grants: grants
       )

spec/models/carto/oauth_access_token_spec.rb

@@ -18,7 +18,7 @@ module Carto
       end
 
       it 'auto generates api_key' do
-        access_token = OauthAccessToken.new(oauth_app_user: @app_user)
+        access_token = OauthAccessToken.create!(oauth_app_user: @app_user)
         expect(access_token).to(be_valid)
         expect(access_token.api_key).to(be)
         expect(access_token.api_key.type).to(eq('oauth'))