PAT creation API for admins with max allowable token lifetime fails to create PATs
The PAT creation API for admins on SM https://docs.gitlab.com/ee/api/users.html#create-a-personal-access-token suggests passing in a expires_at
field optionally to create a PAT. This works correctly both with a expires_at
parameter passed in to set a shorter due date or without it, to use the default 365 day expiration. We identified that setting the Max allowable lifetime for access token
option (on GitLab Ultimate SM) breaks this and once a limit is set, a PAT cannot be created with or without passing in an expires_at
To reproduce:
- Enable an Ultimate licence on GitLab SM
- Head over to Admin settings > Accounts and Limits > Max allowable lifetime for access token
- Add in 40 days as the max limit and save
- Try create a PAT with or without an
expires_at
e.g
curl --request POST --header "PRIVATE-TOKEN: REDACTED" --data "name=mytoken45"\
--data "scopes[]=api" "http://127.0.0.1:3000/api/v4/users/1/personal_access_tokens"
Response
{"message":"Expiration date must be before 2023-12-14"}
And with expires_at passed that less than the max expiration setting
curl --request POST --header "PRIVATE-TOKEN: REDACTED" --data "name=mytoken45" --data "expires_at":"2023-12-11"\
--data "scopes[]=api" "http://127.0.0.1:3000/api/v4/users/1/personal_access_tokens"
Response
{"message":"Expiration date must be before 2023-12-14"}`
- Now remove the
Max allowable lifetime for access token
limit, the above curls will work correctly.
Edited by Adil Farrukh