Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1
    • Merge requests 1
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Merge requests
  • !3749

Allow creating Personal Access Tokens through the website

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Timothy Andrew requested to merge 2979-personal-access-tokens into master Apr 15, 2016
  • Overview 117
  • Commits 47
  • Changes 19

Related to #2979 (closed)

  • Allow a user to create personal access tokens, and use them to authenticate
  • Refactor API::Helpers into API::Helpers::Core and API::Helpers::Authentication

Tasks

  • #2979 (closed) (!3749 (merged)) - Personal Access Tokens
    • Basic Implementation
      • Add UI to add "Personal Access Tokens"
      • Reload lib/api on every request
      • Respect these tokens for API requests
      • Just a param or a header too?
      • Allow revoking tokens
      • Expire tokens
      • Left bar should have a "PAT" icon
      • Scopes?
      • Copy to Clipboard
      • Show active/inactive tokens separately
        • No need to check for expired/revoked in the appropriate places
      • Why does regular ApplicationController check for private token?
      • Support non-API requests
      • Revert (or work on) lib/api eager loading
    • Create MR
    • Refactoring
    • Fix tests
    • Write more tests
    • Add screenshots to MR
    • Add description of query performance to MR
    • Limit the number of queries in the personal_access_tokens page
    • Wait for CI to pass
    • Fix merge issues in schema.rb
    • Assign MR to endboss
    • Wait for feedback
    • Fix feedback
      • Wait for CI to pass
    • Assign to @rspeicher
    • Fix @rspeicher's comments
    • Wait for CI to pass
    • Assign back to @rspeicher
    • Write documentation and ping @axil
    • Wait for Axil to respond
    • Assign to endboss
    • Address Douwe's feedback
      • Use the private_token or authentication_token param instead of personal_access_token
      • Ditto for the header
    • Assign to endboss
    • Make sure CI is green
    • Address Douwe's feedback
      • Don't go through the authenticate_user_from_private_token! method, if a private token is supplied (or combine them)
      • In authenticate_user_from_personal_access_token! don't hit DB if token_string is nil
      • Use current_user.personal_access_tokens.build in the controller
      • Remove the "We aren't using personal_access_token as the root param" comment
      • No need for = "...", we can just have the Inactive ... #{...} on the next line in the view
      • Render dates in a (more) human format
      • CSS issue with table
      • Don't show the tokens in the UI indefinitely
      • How to implement scopes? Add-on to current impl? Doorkeeper?
    • Wait for @DouweM's comments about scopes
    • Address @DouweM's second review
      • Try not using native['innerHTML']
      • use contexts for all "when ..."
      • Ensure consistency (styling) with other pages for "You don't have any tokens" message
      • "Actions" table column doesn't need a label
      • %td can be moved outside of the if/else statement
      • The header title should be "Profile Settings"
      • Can this be a before_create, so we don't need to use generate?
      • If it couldn't be revoked, will we show an error?
      • If it couldn't be saved, will we show an error?
    • Merge master
    • Update CHANGELOG entry
    • Add tests for form errors?
    • Post screenshots
    • Tag @jschatz1 for review
    • Wait for build to pass
    • Respond to @jschatz1's comments
      • Hardcoded colors should be variables
      • Should not be allowed to chose a date in the past
      • Use the same table as in the Applications tab
      • button should say "Create Personal Access Token"
      • Float the revoke to the right on the a
      • Change revocation message. "Are you sure you want to revoke this certificate? This action cannot be undone."
      • Date stays selected and looks selected even though date is set as "never".
      • hover on the calendar button shifts (not caused by this MR - happens on milestones#new as well)
      • Don't use the panel for the created token
        • Use a normal flash for "Your new personal access token has been created"
        • Show the input (with the token) below it full width.
        • Put the "Make sure you save it - you won't be able to access it again." message near the input
      • Have the input highlight all on single click
    • Update screenshots
    • Merge master in + conflicts
    • Assign to @jschatz1 again
    • Respond to @jschatz1's comments
      • No button for clipboard, only link
      • text-danger
      • highlight fade on that area where the token was created
    • Make sure build is green
    • Assign to @jschatz1
    • Wait for build to pass
    • Respond to @DouweM's feedback
      • move the redirect_to out of the if/else
      • certificate -> token
      • datepicker back to text field
      • combine the get_user_from_private_token and get_user_from_personal_access_token methods in ApplicationController
      • combine the get_user_from_private_token and get_user_from_personal_access_token methods in lib/api/helpers
      • don't need the new constants
    • Wait for build to pass
    • Wait for merge

Screenshots

Screen_Shot_2016-06-16_at_8.30.33_AM Screen_Shot_2016-06-16_at_8.30.44_AM Screen_Shot_2016-06-16_at_8.31.02_AM Screen_Shot_2016-06-16_at_8.31.29_AM

Assignee
Assign to
Reviewer
Request review from
Time tracking
Source branch: 2979-personal-access-tokens