Allow user/admin/group to generate a new application secret
What does this MR do and why?
Relates to #338243 (closed)
This MR will create a new application secret key on three scopes: user/admin/group. doorkeeper 5.2.2 has such change [#1315] Allow generation of new secret with Doorkeeper::Application#renew_secret
[1] to support single secret rotation. This indicates the ability of doorkeeper to have a new secret. However, it can't have multiple secrets as GitHub did according to this.
[1]. https://github.com/doorkeeper-gem/doorkeeper/blob/main/CHANGELOG.md
How to set up and validate locally
User application
- go to
/-/profile/applications
- Add a new application and click
Save application
Name - test.
Redirect URI - https://test.com.
Scopes - click api.
- Find the newly created application at
Your applications
& clickName
, then find out the current secret. Make sure to copy and paste the secret at somewhere. - Click
Renew secret
button. - You will see the warning message "Are you sure to renew the secret?" and then click red
Renew secret
button. - check secret again, and it should be changed to a new value.
- go to any other pages and try to edit the application again, you should see the copy button is gone.
Admin application
- go to
admin/applications
remaining steps please seeUser application
Group application
- go to
groups/<group>/-/settings/applications
remaining steps please seeUser application
Screenshots or screen recordings
Step 5, and click Renew secret.
Step 6 - the secret should be updated.
Step 7 - the copy button is gone
screen recording
Screen_Recording_2023-01-24_at_10.43.48_pm
Concerns
- This MR only add secret renewal to user application. I am not sure if it needs to roatate admin/group secret too. The issue description says
User
but I guess admin application could also apply?? A: The group/admin/user all share the same UI interface & tests but not backend controller. Changing controller for group/admin is a must otherwise admin/group renewal will show 404 after sending put request.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Hannah Sutor