Deploy tokens list APIs should permit filtering for active tokens
Release notes
List deploy token APIs allow filtering for only active tokens.
Problem to solve
The Deploy Tokens API endpoints for listing tokens (project/group/etc. levels) return all database stored entries, including revoked and expired tokens.
Furthermore, the revoke state is not added to the returned entity, so an end-user cannot perform a client-side filter removing revoked tokens from the list returned.
The feature proposed here will resolve the need to list only active tokens from the REST API.
Intended users
User experience goal
The user should be able to use the API to retrieve only, or properly filter for, currently active tokens.
Proposal
Two changes:
- Add a filter params
revoked
andexpired
, of boolean types, that filter the returned response of all tokens.-
revoke
being true will return only revoked tokens -
revoke
being false will return only un-revoked tokens -
expired
being true will return only expired tokens -
expired
being false will return only un-expired tokens - Both filters as true will return actual active tokens, matching list shown on the Web UI
-
- Add
revoked
state key-values to the returnedDeployToken
entity to allow end-users to differentiate between revoked and un-revoked tokens in any response.
Further details
Came up in a Premium plan customer's support request https://gitlab.zendesk.com/agent/tickets/183005 (internal)
Permissions and Security
Existing permissions over the Deploy Tokens API endpoints remain sufficient.
Documentation
Deploy Tokens API documentation for list actions will require updates: https://docs.gitlab.com/ee/api/deploy_tokens.html
Availability & Testing
Existing API tests will require changes to cover filters for list queries, and for the new revoked
field returned in the response.