Add Demonstrating Proof of Possession (DPoP) for Personal Access Tokens (!148175) · Merge requests · GitLab.org / GitLab

Ameya Darshan requested to merge ameya-dpop-backend into master Mar 28, 2024

What does this MR do and why?

This MR initiates the implementation of sender-constrained access tokens designed to minimise the risk of token leaks. I am putting this feature behind a feature flag.

How to set up and validate locally

Currently this feature works only for RSA keys. Support for other algorithms will be added later.

For frontend:

Checkout this branch locally.
Run bin/rails db:migrate
In rails console, enable the feature flag: Feature.enable(:dpop_authentication, User.first)
Login as root.
Go to Settings > Access tokens > Toggle the DPoP option.
Confirm it persists in the database User.first.dpop_enabled and also on the frontend on refreshing the page.

For backend:

Build glab from this branch.
Ensure DPoP is enabled following the steps above.
Ensure you have an SSH key-pair setup with the public key uploaded to your user account. Ensure that the key type is saved as "Signing" or "Authentication and Signing".
Using glab generate a DPoP header: bin/glab auth dpop-gen --pat "glpat-PAT" --private-key ~.ssh/id_rsa
Use the generated header to make an HTTP API request: curl http://localhost:3000/api/v4/projects --header "Private-Token: glpat-PAT" --header "DPoP: <GLAB OUTPUT HERE>"
Confirm valid response is received. Confirm that the request fails without a valid DPoP header.

Edited Apr 25, 2024 by Ameya Darshan

Add Demonstrating Proof of Possession (DPoP) for Personal Access Tokens

What does this MR do and why?

How to set up and validate locally

Merge request reports