Personal Access Tokens are not purged if there is no explicit max age set.
Summary
Personal Access Tokens that have been expired will not be automatically cleaned up if the instance does not have an explicit age set.
The worker is checking for the lifetime settings, and if not set, will skip the job:
def perform
expiration_date = ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now
return unless expiration_date
User.with_invalid_expires_at_tokens(expiration_date).find_each do |user|
PersonalAccessTokens::RevokeInvalidTokens.new(user, expiration_date).execute
end
end
# This will be nil if the setting wasn't explicitly set
expiration_date = ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now
# Causing this to skip the work
return unless expiration_date
More over, it is impossible to set this on any non-Ultimate environment as that specific field/setting is gated with Ultimate.
Steps to reproduce
Assuming an Ultimate - nothing set Lifetime
- Create a personal access token that expires tomorrow
- Wait
- Token will be revoked, not visible in the UI, but never purged from the database
Set the max age liftime to 365
- Create a personal access token that expires tomorrow
- Wait
- Token will be revoked, not visible in the UI, and purged from the database
What is the current bug behavior?
Revoked personal access tokens are never deleted
What is the expected correct behavior?
Revoked personal access tokens should be deleted after expiration
Possible fixes
Use the default timeframe for the clean up job. Specifically PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS
To the policy worker add an ||
to default to the default timeframe
expiration_date = ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now || PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now
This is the current default that is in use when creating a token