GitLab tokens with unset expiration are quietly set to expire in 365 days
Summary
When creating a new access token with no expiration set. The UI does not provide any indication that a non-expiring token is not supported. The expiration date field shows no warning or error. After clicking submit, no expiration date is shown. The user is left to assume that the token will not expire, when in fact the token's expiration date has been set to 365 days.
Reproduction steps are for group access token, but I believe this also applies to project and personal access tokens.
Steps to reproduce
- From the Group > Settings > Access Tokens > Add new token
- Set token name "example"
- Click the X button to remove the Expiration date
- Click Create group access token
Example Project
N/A
What is the current bug behavior?
Token is created with 365 day expiration and no messaging is provided during or after token creation that an expiration was set.
What is the expected correct behavior?
UI should be clear that the 365 day expiration is set before and after token creation.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
GitLab self-managed v16.9.8-ee
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)