Enforce prefixing for new tokens
In https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#token-prefixes we mandate that tokens are prefixed, so that they can be detected by secret detection if leaked. Now that many of our tokens have prefixes we should enforce this for new additions. This also increases efficiency: developers don't need to go back and add a prefix later, there's no worries about needing to rotate existing tokens later, no need for feature flagged rollout, etc.
Context
- Prefix all authentication tokens for easier det... (&8923)
- https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/482+
Proposal
- Introduce a rubocop for use of
add_authentication_token_field
withoutformat_with_prefix
- Evaluate the failures:
- Add to https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/482+ if remediation is warranted
- Add
rubocop::disable
if it isn't
Not this proposal
- Making
format_with_prefix
a required parameter (that would break existing uses)