Limit `personal_access_tokens/self` end point to PAT

Original Issue The endpoint `personal_access_tokens/self` is used to return the details about the current access token. But the same endpoint is available outside PAT scope as well. When authenticated with browser session it returns `null` with the response code 200. When using an OAuth token it returns 
{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api read_user create_runner k8s_proxy read_repository write_repository read_registry write_registry read_observability write_observability ai_features sudo admin_mode api read_api"}%

which is misleading.

Also it gives 500 error in some scenarios.

API::Entities::PersonalAccessToken missing attribute `name' on #<OauthAccessToken:0x00007fc7536f39a8>

            is_delegatable || raise(
                              ^^^^^
[lib/gitlab/json.rb:130:in `dump', lib/gitlab/json.rb:130:in `adapter_dump', lib/gitlab/json.rb:52:in `dump', lib/gitlab/json.rb:194:in `call', lib/api/api_guard.rb:219:in `call', ee/lib/gitlab/middleware/ip_restrictor.rb:14:in `block in call', ee/lib/gitlab/ip_address_state.rb:10:in `with', ee/lib/gitlab/middleware/ip_restrictor.rb:13:in `call', lib/api/api_guard.rb:219:in `call', ee/lib/omni_auth/strategies/group_saml.rb:41:in `other_phase', lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call', lib/gitlab/middleware/memory_report.rb:13:in `call', lib/gitlab/middleware/speedscope.rb:13:in `call', lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call', lib/gitlab/middleware/rails_queue_duration.rb:33:in `call', lib/gitlab/etag_caching/middleware.rb:21:in `call', lib/gitlab/metrics/rack_middleware.rb:16:in `block in call', lib/gitlab/metrics/web_transaction.rb:46:in `run', lib/gitlab/metrics/rack_middleware.rb:16:in `call', lib/gitlab/middleware/go.rb:20:in `call', lib/gitlab/middleware/query_analyzer.rb:11:in `block in call', lib/gitlab/database/query_analyzer.rb:37:in `within', lib/gitlab/middleware/query_analyzer.rb:11:in `call', lib/gitlab/middleware/multipart.rb:173:in `call', lib/gitlab/middleware/read_only/controller.rb:50:in `call', lib/gitlab/middleware/read_only.rb:18:in `call', lib/gitlab/middleware/same_site_cookies.rb:27:in `call', lib/gitlab/middleware/path_traversal_check.rb:35:in `call', lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call', lib/gitlab/middleware/basic_health_check.rb:25:in `call', lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call', lib/gitlab/middleware/request_context.rb:15:in `call', lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call', config/initializers/fix_local_cache_middleware.rb:11:in `call', lib/gitlab/middleware/compressed_json.rb:44:in `call', lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call', lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call', lib/gitlab/metrics/requests_rack_middleware.rb:79:in `call', lib/gitlab/middleware/release_env.rb:13:in `call']

Summary

The endpoint personal_access_tokens/self is used to return details about the current access token. However, this endpoint is accessible outside of the Personal Access Token (PAT) scope, leading to misleading behavior and errors.

  • When authenticated with browser session it returns null with the response code 200.

  • When using an OAuth token it returns

{
  "error": "insufficient_scope",
  "error_description": "The request requires higher privileges than provided by the access token.",
  "scope": "api read_api read_user create_runner k8s_proxy read_repository write_repository read_registry write_registry read_observability write_observability ai_features sudo admin_mode api read_api"
}

This response is misleading as it suggests a lack of permission rather than an issue with the endpoint's accessibility.

  • In some scenarios, the endpoint returns a 500 error.
API::Entities::PersonalAccessToken missing attribute `name' on #<OauthAccessToken:0x00007fc7536f39a8>

            is_delegatable || raise(
                              ^^^^^
adapter_dump ``` [lib/gitlab/json.rb:130:in `dump', lib/gitlab/json.rb:130:in `adapter_dump', lib/gitlab/json.rb:52:in `dump', lib/gitlab/json.rb:194:in `call', lib/api/api_guard.rb:219:in `call', ee/lib/gitlab/middleware/ip_restrictor.rb:14:in `block in call', ee/lib/gitlab/ip_address_state.rb:10:in `with', ee/lib/gitlab/middleware/ip_restrictor.rb:13:in `call', lib/api/api_guard.rb:219:in `call', ee/lib/omni_auth/strategies/group_saml.rb:41:in `other_phase', lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call', lib/gitlab/middleware/memory_report.rb:13:in `call', lib/gitlab/middleware/speedscope.rb:13:in `call', lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call', lib/gitlab/middleware/rails_queue_duration.rb:33:in `call', lib/gitlab/etag_caching/middleware.rb:21:in `call', lib/gitlab/metrics/rack_middleware.rb:16:in `block in call', lib/gitlab/metrics/web_transaction.rb:46:in `run', lib/gitlab/metrics/rack_middleware.rb:16:in `call', lib/gitlab/middleware/go.rb:20:in `call', lib/gitlab/middleware/query_analyzer.rb:11:in `block in call', lib/gitlab/database/query_analyzer.rb:37:in `within', lib/gitlab/middleware/query_analyzer.rb:11:in `call', lib/gitlab/middleware/multipart.rb:173:in `call', lib/gitlab/middleware/read_only/controller.rb:50:in `call', lib/gitlab/middleware/read_only.rb:18:in `call', lib/gitlab/middleware/same_site_cookies.rb:27:in `call', lib/gitlab/middleware/path_traversal_check.rb:35:in `call', lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call', lib/gitlab/middleware/basic_health_check.rb:25:in `call', lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call', lib/gitlab/middleware/request_context.rb:15:in `call', lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call', config/initializers/fix_local_cache_middleware.rb:11:in `call', lib/gitlab/middleware/compressed_json.rb:44:in `call', lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call', lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call', lib/gitlab/metrics/requests_rack_middleware.rb:79:in `call', lib/gitlab/middleware/release_env.rb:13:in `call'] ```

Steps To Reproduce

  1. Attempt to access the personal_access_tokens/self endpoint while authenticated with a browser session.
  2. Attempt to access the same endpoint using an OAuth token.
  3. Observe the responses in both cases.

What is the current bug behaviour?

See summary

  • Browser Session Error
  • OAuth Token Error
  • 500 Internal Error

What is the expected correct behaviour?

  • The endpoint should only return valid data when accessed with a valid PAT, and it should not be accessible outside the intended scope.
  • In the case of insufficient scope, the response should indicate a lack of authorization clearly without misleading null responses or 500 errors.
Edited by Hakeem Abdul-Razak