Group access token with an updated expires_at date is still removed

Summary

When a group access token is created, and afterwards its expiry date is updated in rails-console, it is still removed at the original expires_at date.
This does not occur with personal access tokens.

Steps to reproduce

  • Create a group access token with expiry date set to tomorrow
  • In gitlab-rails console, extend the expiry date of the token: PersonalAccessToken.where(id: 248).update_all(expires_at: 1.month.from_now)
  • Notice the token being removed the next day due to "access expired"

What is the current bug behavior?

The group access token is removed on the original expires_at date, and not at the updated expires_at date.

What is the expected correct behavior?

The group access token is extended and will be removed at the updated expires_at date.
With personal access tokens, the updated expires_at date is respected.

Relevant logs and/or screenshots

GET /api/v4/groups/2165/access_tokens

[
  {
    "id": 248,
    "name": "test",
    "revoked": false,
    "created_at": "2024-09-03T10:46:40.891Z",
    "scopes": [
      "api"
    ],
    "user_id": 827,
    "last_used_at": null,
    "active": true,
    "expires_at": "2024-09-04",
    "access_level": 30
  }
]
# gitlab-rails console
[WARNING] Object storage for ci_secure_files must have a bucket specified
--------------------------------------------------------------------------------
 Ruby:         ruby 3.1.5p253 (2024-04-023 revision 1945f8dc0e) [x86_64-linux]
 GitLab:       17.3.1-ee (df01858216e) EE
 GitLab Shell: 14.38.0
 PostgreSQL:   14.11
------------------------------------------------------------[ booted in 43.31s ]
WARNING: Active Record does not support composite primary key.

security_findings has composite primary key. Composite primary key is ignored.
Loading production environment (Rails 7.0.8.4)
irb(main):002:0> PersonalAccessToken.where(id: 248).update_all(expires_at: 1.month.from_now)
=> 1

GET /api/v4/groups/2165/access_tokens

[
  {
    "id": 248,
    "name": "test",
    "revoked": false,
    "created_at": "2024-09-03T10:46:40.891Z",
    "scopes": [
      "api"
    ],
    "user_id": 827,
    "last_used_at": null,
    "active": true,
    "expires_at": "2024-10-03",
    "access_level": 30
  }
]

image

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

System information
System:
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   3.1.5p253
Gem Version:    3.5.11
Bundler Version:2.5.11
Rake Version:   13.0.6
Redis Version:  7.0.15
Sidekiq Version:7.1.6
Go Version:     unknown

GitLab information
Version:        17.3.1-ee
Revision:       df01858216e
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     14.11
URL:            https://x.x.team.x
HTTP Clone URL: https://x.x.team.x/some-group/some-project.git
SSH Clone URL:  git@x.x.team.x:some-group/some-project.git
Elasticsearch:  yes
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: saml

GitLab Shell
Version:        14.38.0
Repository storages:
- default:      tcp://x.x.64.6:8075
- gitaly2:      tcp://x.x.64.11:8075
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address:      tcp://x.x.64.6:8075
- default Version:      17.3.1
- default Git Version:  2.45.2
- gitaly2 Address:      tcp://x.x.64.11:8075
- gitaly2 Version:      17.3.1
- gitaly2 Git Version:  2.45.2

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.38.0 ? ... OK (14.38.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK
gitaly2 ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/2


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Database config exists? ... yes
Tables are truncated? ... skipped
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Cable config exists? ... yes
Resque config exists? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
68/35 ... yes
...
Redis version >= 6.2.14? ... yes
Ruby version >= 3.0.6 ? ... yes (3.1.5)
Git user has default SSH configuration? ... yes
Active users: ... 305
Is authorized keys file accessible? ... skipped (authorized keys not enabled)
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... yes (elasticsearch 8.12.0)
All migrations must be finished before doing a major upgrade ... yes


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished