Notify GitLab user when PAT is auto-revoked
Proposal
When using the Personal Access Token API, revocation happens silently. We should update the flow to send an email notification to users in the event that a token is revoked.
Implementation steps
- Add new Rails mailer notifying user of PAT token revocation
- Add logic triggering mailer during revocation flows
- Add tests covering mailer triggering behavior
- Consider adding handling for additional attribution based on revoking entity
Text copy
We could use generic copy initially but to better support #371658 (closed) it would be helpful to include attribution when possible distinguishing "we revoked the token because it was public" from a more generic "the token was revoked" copy.
Additional attribution
When the Revocation API endpoint(s) receive an additional param, the token is validated. If confirmed, the notification will include additional copy notifying the user the token was auto-revoked.
See #371911 (comment 1079583037) for possible approaches
Edited by Lucas Charles