Rotating credentials for a more secure API (non-oauth)
It would be great if Gitlab allowed use of temporary credentials when consuming the API (other than OAuth). Any pathway to achieve that would do, even an obscure one (as long as it's supported). Correct me if I'm being silly, but it seems to be currently not possible:
- going in through the
api/v3/sessiongives you a
private_token, which is an insecure plain-text stored password, which is never automatically reset
- session cookie is a dead end too from the API perspective: according to docs, "using the API to generate a new session cookie is currently not supported"
- there is no API calls available to reset the
- there is no API calls available for personal access tokens.
I guess the most obvious solution is to expose the
private_token reset call through the API, and make it return the new private token. I could then reset the token on a schedule.