Feed token may be able to access entire GraphQL API
Problem
Similar to https://gitlab.com/gitlab-org/gitlab/-/issues/438462+, an feed token may be able to access the entire GraphQL API. The find_user_from_feed_token
call seems to be the reason.
See this comment for additional info.
Also, find_user_from_personal_access_token_for_api_or_git
call seems OK to me as personal access tokens should be access the GraphQL API.
Proposal
Feed tokens are not able to access the GraphQL API.