Skip to content

Add Demonstrating Proof of Possession (DPoP) for Personal Access Tokens

Ameya Darshan requested to merge ameya-dpop-backend into master

What does this MR do and why?

This MR initiates the implementation of sender-constrained access tokens designed to minimise the risk of token leaks. I am putting this feature behind a feature flag.

Related to Use Mutual-TLS (mTLS) or Demonstrating Proof-of... (#425130).

How to set up and validate locally

Currently this feature works only for RSA keys. Support for other algorithms will be added later.

For frontend:

  1. Checkout this branch locally.
  2. Run bin/rails db:migrate
  3. In rails console, enable the feature flag: Feature.enable(:dpop_authentication, User.first)
  4. Login as root.
  5. Go to Settings > Access tokens > Toggle the DPoP option.
  6. Confirm it persists in the database User.first.dpop_enabled and also on the frontend on refreshing the page.

For backend:

  1. Build glab from this branch.
  2. Ensure DPoP is enabled following the steps above.
  3. Ensure you have an SSH key-pair setup with the public key uploaded to your user account. Ensure that the key type is saved as "Signing" or "Authentication and Signing".
  4. Using glab generate a DPoP header: bin/glab auth dpop-gen --pat "glpat-PAT" --private-key ~.ssh/id_rsa
  5. Use the generated header to make an HTTP API request: curl http://localhost:3000/api/v4/projects --header "Private-Token: glpat-PAT" --header "DPoP: <GLAB OUTPUT HERE>"
  6. Confirm valid response is received. Confirm that the request fails without a valid DPoP header.
Edited by Ameya Darshan

Merge request reports