Use rss token for atom access
What does this MR do?
1.
It introduces a new token User#rss_token
which is scoped to only atom requests.
This new token is used for atom links instead of using the User#private_token
.
Backwards compatibility to old rss links is maintained (i.e. old links with the private_token
still work).
2.
It allows the user to reset his RSS token on his settings page.
-
Use rss token for all atom links -
Authenticate requests to atom resources by rss_token
-
Rake task to revoke all rss tokens -
Add section in the user's account settings to reset the rss token -
Remove dead code related to creating an initial security token.
Are there points in the code the reviewer needs to double check?
I removed a piece of code that wasn't working anymore (the else
section in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11647//diffs#08fd831b7f7f75c6d0ec762f3079245f1ff09857).
Why was this MR needed?
Improves the security of GitLab as the private tokens are not exposed in rss links anymore.
The development of this MR is sponsored by @siemens.
Screenshots (if relevant)
before:
after:
account settings:
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added - Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Branch has no merge conflicts with master
(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
Implements step 1. from @DouweM's comment https://gitlab.com/gitlab-org/gitlab-ce/issues/29810#note_28404385