POST /-/subscriptions creates OAuth token w/ expiration
What does this MR do and why?
- When a POST request is made to /-subscriptions we call GitlabSubscriptions::CreateService , which then creates an OAuth Access Token
- Access token created here: https://gitlab.com/gitlab-org/gitlab/-/blob/c4105d26999da65f070bce3b7a329f5ee3e79acc/ee/app/controllers/subscriptions_controller.rb#L104-109
- In theory, all OAuth tokens created in GitLab should have an expiration so this logic was unexpected.
- Removed support for OAuth tokens without expiration here: #340848 (closed)
- We will backfill
expires_infor all of these tokens but first we need set a defaultexpires_in - It is possible that these OAuth tokens don't even work. So perhaps this OAuth token flow will be removed in the future via customers-gitlab-com#4682
- I've asked
#g_fulfillment_platformabout this and they said 2 hours is a safe default: https://gitlab.slack.com/archives/C037WQ2BUGK/p1669935926384809
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Confirm that nothing with subscriptions is broken:
- go to group billing page and purchase a ultimate subscription and verify purchase was success
- go to group usage quota page -> pipeline tab and click on buy more minutes
- fill out checkout form and click on confirm purchase
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jessie Young