Alert when Personal Access Token (PAT) is used from a new location
Proposal
GitLab has a feature to notify users when someone logs in to their account from a new IP address (Email notification for unknown sign-ins). This can be a helpful indicator that something suspicious is occurring.
However, there is no notification if someone authenticates using a Personal Access Token (PAT). PATs are self-contained credentials. If they are accidentally exposed or stolen, there are no additional safeguards (like multi-factor authentication) to prevent them from being used.
This proposal is to implement the same type of email notification when a user's PAT is used from a new IP address. This should probably be configurable on a per-PAT basis with a single checkbox to enable/disable it, as it is common to use PATs in automation where new IP address usage occurs frequently.
This feature would provide an immediate benefit to individuals in terms of leaked or stolen PATs. It may also have a larger positive benefit within groups and those self-hosting instances. If an entire group or instance is compromise, it is likely an attacker would try to gather and use any credentials they discover. Unexpected PAT usage notifications in this scenario could provide a high-probability indicator of malicious activity.
Some users may even choose to create PATs just for this purpose, leaving them stored in sensitive areas and not actually using them to access the API. If they ever receive an alert, they will know that someone has gained access to that area. This is commonly referred to as a "canary token". This last use case will be even stronger if GitLab implements more fine-grained access control on tokens, as the canary token can be created with no sensitive permissions.
Related issues:
- Personal Access Token (PAT) Last Used IP Addres... (#428577 - closed)
- DUPLICATE: Finer grained scopes for PATs and Se... (#351223 - closed)
- Granular permissions for Personal Access Tokens (#368904 - closed)
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.