Self-rotating a group/personal access token that has already been rotated results in the newly rotated token being revoked as well

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

I initially noticed this on a Gitlab Enterprise instance (17.9.1), but have verified it on Gitlab.com with a personal access token.

If you have an access token with the self-rotate permission, and then perform a self-rotate, the original token is revoked as expected. However, if you then perform another rotation with that original token (that had been previously revoked), the newly created token is instead revoked and no new token is created.

To reproduce:

• Create a personal access token with read_api and self_rotate scopes.
• Verify the token is active curl -X GET --header "PRIVATE-TOKEN:original-token" "https://gitlab.com/api/v4/personal_access_tokens/self"
• Rotate the original token: curl -X POST --header "PRIVATE-TOKEN:original-token" "https://gitlab.com/api/v4/personal_access_tokens/self/rotate"
• Verify the token is now revoked curl -X GET --header "PRIVATE-TOKEN:original-token" "https://gitlab.com/api/v4/personal_access_tokens/self"
• Verify the new token is active: curl -X GET --header "PRIVATE-TOKEN:new-token" "https://gitlab.com/api/v4/personal_access_tokens/self"
• Rotate the original token again: curl -X POST --header "PRIVATE-TOKEN:original-token" "https://gitlab.com/api/v4/personal_access_tokens/self/rotate"
• Verify you receive an error stating the token was revoked.
• Check the "new-token" access. Verify it was revoked. curl -X GET --header "PRIVATE-TOKEN:new-token" "https://gitlab.com/api/v4/personal_access_tokens/self"