An error occurred while fetching the assigned iteration of the selected issue.
Prefix Personal Access Tokens and other authentication tokens for easier detection
When logging requests and other data GitLab tries to filter tokens to the best of our extend. However, if any tokens got missed its hard to detect and this might only get noticed after an incident.
My proposal would be to use a fixed prefix for all authentication tokens we use, to be set on add_authentication_token_field :token
Example;
#Ci::Build model
add_authentication_token_field :token, prefix: 'GLCI'
The token as output should be GLCI-<SecureRandomToken>
. This change should be backwards compatible, so token being used right now should still work.
Models using tokens that I know of:
- Ci::Build
- Ci::Runner
- PersonalAccessToken
- ApplicationSettings 2x
- DeployToken
- User 2x
Tokens without prefix
As of 2022-09-23
- Instance runner registration token (specific runners have a prefix, generated by admins in
/admin/runners
) - Runner token (the one the runner receives after using the registration token)
- Deploy tokens
- Health Check access token (generated by admins in
/admin/health_check
- Incoming email token (per user,
/-/profile/personal_access_tokens
) - Feed token (per user,
/-/profile/personal_access_tokens
) - OAuth application secret (wouldn't hurt to prefix the ID either
🤷 )