Set default `OauthAccessToken#expires_in`
What does this MR do and why?
- Part 1 of 3 for ensuring all existing OauthAccessTokens have an expiration
- Part 2 will be to re-run a batched background migration that sets
expires_in
for all existing tokens. Similar to !86379 (merged) - The reason we need to set this default is that the Doorkeeper refresh
token flow does uses
expires_in
value of the refresh token when creating a new token. - This presents a risk for the batch background migration: the migration
works through the batch using a
batch_max_value
, which is theid
of the newest oauth_access_token at the time when the migration starts. - While the migration is running, it is possible that
oauth_access_tokens with
expires_in: nil
are refreshed, which would result in new tokens withexpires_in: nil
that haveid
s that are greater thanbatch_max_value
. As a result, these new tokens would be left out of the migration and would remain in the database withexpires_in: nil
- This change ensures that any new tokens being created via the refresh
flow have an
expires_in
value
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Create an OauthAccessToken with
expires_inL nil
:access_token = FactoryBot.create(:oauth_access_token, expires_in: nil)
- Refresh the access token
app = OauthAccessToken.last.application parameters = "client_id=#{app.uid}&client_secret=#{app.secret}&refresh_token=#{OauthAccessToken.last.refresh_token}&grant_type=refresh_token&redirect_uri=#{app.redirect_uri}" RestClient.post 'http://localhost:3000/oauth/token', parameters
- Confirm that the newly-created token has an expires_in value of 7200 (2 hours in seconds)
OauthAccessToken.last
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
Activity
assigned to @jessieay
- Resolved by Drew Blessing
requested review from @ifarkas
1 Warning e8735021: The commit subject may not be longer than 72 characters. For more information, take a look at our Commit message guidelines. Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Roy Zwambag (
@rzwambag
) (UTC+1, 9 hours ahead of@jessieay
)Doug Stull (
@dstull
) (UTC-5, 3 hours ahead of@jessieay
)To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Danger- Resolved by Drew Blessing
@ifarkas - I'd been mulling your comments about needing to account for refresh token flows when we do the batch migration to backfillexpires_in
and this seemed like a simpler solution that what was proposed here.I could have done this in the same MR as the batch migration but it seemed cleaner to break it up into a few MRs.
This will go first, then the batched background migration, and finally a database migration to enforce not null
expires_in
via postgres.
changed milestone to %15.7
- Resolved by Drew Blessing
mentioned in issue #363355 (closed)
Allure report
allure-report-publisher
generated test report!e2e-review-qa:
test report for 1e6c8293expand test summary
+-------------------------------------------------------------+ | suites summary | +--------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +--------+--------+--------+---------+-------+-------+--------+ | Manage | 34 | 0 | 3 | 1 | 37 | ❗ | +--------+--------+--------+---------+-------+-------+--------+ | Total | 34 | 0 | 3 | 1 | 37 | ❗ | +--------+--------+--------+---------+-------+-------+--------+
- Resolved by Drew Blessing
@jessieay, please can you answer the question: Should this have a feature flag? to help with code review for the Authentication and Authorization group.This nudge was added by this triage-ops policy.
- Resolved by Drew Blessing
removed review request for @ifarkas
@ifarkas
, thanks for approving this merge request.This is the first time the merge request is approved. To ensure full test coverage, a new pipeline will be started shortly.
For more info, please refer to the following links:
added pipeline:mr-approved label
changed milestone to %15.8