Add prefix to Operations::FeatureFlagsClient#token
A token is generated in Operations::FeatureFlagsClient
. As defense in depth we should add a static prefix to it, to enable easier detection if an admin / user accidentally leaks it. This is not a vulnerability.
app/models/operations/feature_flags_client.rb:16:5: C: Gitlab/TokenWithoutPrefix: Tokens should be prefixed. See doc/development/secure_coding_guidelines.md#token-prefixes for more information.
add_authentication_token_field :token, encrypted: :required
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Implementation guide
Use Add a prefix to deploy tokens (!138438 - merged) as a guide for this
- Add
glffc-
as a prefix toOperations::FeatureFlagsClient
, with accompanying spec tests - Update
app/assets/javascripts/lib/utils/secret_detection.js
with a rule to detect this new pattern; with accompanying spec tests - Update the documentation at
doc/security/token_overview.md
Edited by Nick Malcolm