Skip to content

Allow user/admin/group to generate a new application secret

nobody requested to merge jgao1025/gitlab:issue-338243 into master

What does this MR do and why?

Relates to #338243 (closed)

This MR will create a new application secret key on three scopes: user/admin/group. doorkeeper 5.2.2 has such change [#1315] Allow generation of new secret with Doorkeeper::Application#renew_secret [1] to support single secret rotation. This indicates the ability of doorkeeper to have a new secret. However, it can't have multiple secrets as GitHub did according to this.

[1]. https://github.com/doorkeeper-gem/doorkeeper/blob/main/CHANGELOG.md

How to set up and validate locally

User application

  1. go to /-/profile/applications
  2. Add a new application and click Save application 
Name - test. 
Redirect URI - https://test.com. 
Scopes - click api.
  1. Find the newly created application at Your applications & click Name, then find out the current secret. Make sure to copy and paste the secret at somewhere.
  2. Click Renew secret button.
  3. You will see the warning message "Are you sure to renew the secret?" and then click red Renew secret button.
  4. check secret again, and it should be changed to a new value.
  5. go to any other pages and try to edit the application again, you should see the copy button is gone.

Admin application

  1. go to admin/applications remaining steps please see User application

Group application

  1. go to groups/<group>/-/settings/applications remaining steps please see User application

Screenshots or screen recordings

Step 5, and click Renew secret.

application_2

Step 6 - the secret should be updated.

application4

Step 7 - the copy button is gone

application3

screen recording

Screen_Recording_2023-01-24_at_10.43.48_pm

Concerns

  1. This MR only add secret renewal to user application. I am not sure if it needs to roatate admin/group secret too. The issue description says User but I guess admin application could also apply?? A: The group/admin/user all share the same UI interface & tests but not backend controller. Changing controller for group/admin is a must otherwise admin/group renewal will show 404 after sending put request.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hannah Sutor

Merge request reports