Shorten the time period for tracking a PAT's last_used value
What does this MR do and why?
Currently the Last Used value for personal access tokens is only updated every 24 hours. I have been working on a GitLab PAT CanaryToken that would allow users to distribute tokens in their CI/CD or other environment and get alerted if they are used. While this works currently, the last used value is only updated every > 24 hours, so if an attacker is using a CanaryToken PAT multiple times, the user would lose visibility into the subsequent uses. I have set it to 1 minute, but any smaller value (5-10min) would be a large improvement in the ability to get visibility into token usage (malicious or no).
I have applied this patch for a self-hosted version and built a demo CanaryToken around it. I recently spoke with @DMarquard about this and he suggested creating a MR and tagging him. I suspect there are some performance aspects to why the 24 hour timeout was originally chosen, but I cannot test that on my self-hosted instance as there is too little traffic to generate a noticeable difference.
Issue: Shorten the time period for tracking a PAT's la... (#410168 - closed)
Screenshots or screen recordings
N/A
How to set up and validate locally
- Create a personal access token, either through the WebUI or the API for self-hosted GitLab instances.
- Use the token for some API call, verifying on the WebUI Tokens page that it shows a last used value
- Wait ~2min
- Repeat 2, and verify it updates the last used value
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.