Skip to content

Resolve "Introduce GitLab Duo scope for personal access tokens"

What does this MR do and why?

Duo endpoints require api scope since they are post request, but an api is very powerful. Adding a new scope for Duo specific endpoints mitigate issues in case the pat is exposed somehow.

The following endpoints can now be accessed using a PAT with duo scope (additionally to api):

  • GET /metadata
  • GET /version
  • GET /code_suggestions/*
  • POST /code_suggestions/*

Duo scope gives access exclusively to the endpoints listed above, and not other.

How to set up and validate locally

  1. Create three PATs, each with a scope: read_api, api, duo_api

  2. With duo_api and api, the following route should return 401 (scope is correct, but access to completions require additional steps):

    curl -X POST -H "Authorization: Bearer $GPAT" "http://localhost:3000/api/v4/code_suggestions/tokens"
  3. With read_api, the endpoint above will return 403:

    {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"duo_api api read_api"}
  4. The following endpoint should return 200 with all three tokens:

    curl -X GET -H "Authorization: Bearer $GPAT" "http://localhost:3000/api/v4/metadata"

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #423325 (closed)

Edited by Eduardo Bonet

Merge request reports