Revoke tokens only for access token rotate endpoints

Jarka Košanovárequested to merge
418769-token-rotation into master

What does this MR do and why?

It changes the token revoke behavior - after this change we will revoke tokens only when any access token rotate endpoint is called. Specifically, for now it means following endpoints:

  • POST /personal_access_tokens/:id/rotate
  • POST /groups/:id/access_tokens/:token_id/rotate
  • POST /projects/:id/access_tokens/:token_id/rotate

Context

In !125270 (merged) we introduced a behavior that using a rotated (and thus revoked) token leads to revocation of the latest and still active token.

This caused an incident where more tokens than expected were being updated.

During the following discussion, we decided that tokens should be revoked only when accessing access tokens rotate related endpoints.

How to set up and validate locally

Prepare environment and access tokens

  1. Enable the pat_reuse_detection FF in rails console
Feature.enable(:pat_reuse_detection)
  1. Go to your profile - access tokens
  2. Create 2 access tokens, you can try the both work by accessing an API endpoint, eg. with curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gdk.test:3443/api/v4/personal_access_tokens", make sure you noted both tokens
  3. Revoke the last token by running in the rails console:
user = User.find(1) # find correct user
user.personal_access_tokens.last.update(revoked: true)

Visiting endpoints that do not revoke tokens

  1. Access an API endpoint with the revoked token, eg. curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gdk.test:3443/api/v4/personal_access_tokens" - you should receive an invalid_token error
  2. Check if the valid token was revoked - it should not be revoked
user = User.find(1) # find correct user
user.personal_access_tokens.last(2) # one of them should not be revoked

Visiting endpoints that revoke tokens

  1. Access access token rotate with the revoked token - curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/<personal_access_token_id>/rotate" - you should receive an invalid_token error
  2. Check if the valid token was revoked - it should be revoked
user = User.find(1) # find correct user
user.personal_access_tokens.last(2) # both of them should be revoked

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418769 (closed)

Edited by Jarka Košanová

Merge request reports