Encrypt personal tokens in Webhook URLs
Summary
While configuring a Webhook, at times it might be necessary to add authentication token in the Webhook URL. Unfortunately, this token is not encrypted and is visible to all the maintainers of a project. This presents a security issue as anyone may copy the token and impersonate the user.
Steps to reproduce
While configuring bi-directional mirroring one of the suggested ways of preventing a race conditions is by configuring Push Event Web Hook to trigger an immediate pull using the pull mirror API. This would require one to also add the Personal/project access tokens to authenticate the request while configuring the Webhook:
- Navigate to Settings ➔ Webhooks
- Add the Webhook URL
https://gitlab.example.com/api/v4/projects/:id/mirror/pull?private_token=<your_access_token>
- Ensure that the Push Events checkbox is selected
- Click on Add Webhook to save the web hook.
What is the current bug behavior?
After saving the new Webhook is saved and shown below. As can be seen, the private token is also shown and is not encrypted.
What is the expected correct behavior?
The Web token should be encrypted and not easily visible from the Web UI.