Populate default expiration and pre-select least privilege scopes when creating new access tokens
Problem
Currently we don't enforce a default expiration on access tokens, Personal Access Tokens (PATs), Project Access Tokens and Group Access Tokens, created by users. Looks like enforcing access token expiration is a feature that is only available in Ultimate. Any plans on extending this feature to all tiers?
Access Tokens usually get inadvertently leaked on git repos or elsewhere and the impact of a Maintainer level PAT leak can be pretty high and may cause reputation damage to GitLab. Even for Ultimate customers, admin would have to enable the setting to enforce PAT expiration and we don't select an expiration time by default. The default is no expiration.
Proposal
We have a lot of good advice under the Security Considerations section and I think it will be great if the advice listed in there is enabled by default for our access tokens, like:
- Pre-selecting least privilege scope for users on the access token creation page (users will have to select other scopes if they are doing a job that needs higher privileges)
- Enforcing a short expiration time on access token etc., by default.
This can all be customizable of course but we need to have secure and sensible defaults in place to protect users in case of an accidental access token leakage.
We implemented default expiration for OAuth access tokens recently, !69514 (merged), it'll be nice to do that for access tokens as well.
The security improvements mentioned above must be applied to all types of access tokens we have in the application now, like: Personal Access Tokens (PATs), Project Access Tokens and Group Access Tokens and to upcoming features like Service Accounts and tokens generated using them.
/cc @lmcandrew @dennis @hsutor