Display inactive resource access tokens when feature flag enabled
What does this MR do and why?
This MR updates Project and Group Access Token pages to show inactive (expired or revoked) tokens. Part 2 of List Revoked and Expired Project and Group Acce... (#462217).
Following on from Retain resource access token bot users after re... (!157130 - merged), this change is also behind the new feature flag retain_resource_access_token_user_after_revoke
.
The way Project and Group Access Tokens were expired and revoked in the past meant that the associated bot user was deleted, and so there was no way to show the tokens in the UI. Now, Group and Project Access Token pages will display these tokens and allow easier auditing and review of inactive tokens.
This is done by including a second table of Inactive tokens
underneath the current Active tokens
table. No actions can be taken on each row.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Notes for reviewers
- ~~ UX I felt it was confusing for the Inactive Tokens table to include an "Expires At" column given that it could expire in the future and still have been manually revoked. If a token is inactive it doesn't matter what its expiry date is.~~ The Expires column is back!
-
backend
The code around paginating the JSON response is a bit jank IMO. I wanted to leave the JSON response alone to avoid introducing a breaking change - but perhaps that's OK if the controller is only used by our JavaScript?- Edit: this doesn't matter. I enabled the
access_token_pagination
flag and the Active Access Token limits it to 20 tokens and doesn't display any pagination controls - i.e. active tokens are hidden from view. Pagination is still under development with no ETA: Add offset-based pagination to list personal/gr... (&8382). All Active and Inactive Tokens will be displayed on the page, so the list will get big after a while.
- Edit: this doesn't matter. I enabled the
-
backend this doesn't have a
Changelog
because it's feature flagged and disabled by default -
frontend I was really trying to reuse existing components and patterns but frontend is not my forte. Please help improve the code!
😅 - ~~ ~ux and/or frontend Pagination is another thing to consider, unless we just want to arbitrarily limit it to "the most recently updated 20 inactive tokens"?~~ Pagination is not implemented for Active Tokens yet. The default behaviour will be to show an ever-growing list. [Feature flag] Enable sending paginated data fo... (#366534)
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
![]() |
![]() |
![]() |
![]() |
![]() |
No change - included for completeness |
![]() |
No change - included for completeness; notably doesn't differentiate between active and revoked |
How to set up and validate locally
- In rails console enable the experiment fully, or for a specific group or project
Feature.enable(:create_resource_access_tokens)
- Visit any group or project resource pages such as
http://127.0.0.1:3000/groups/flightjs/-/group_members
- Create and revoke tokens if needed
- Observe that both expired and revoked tokens are displayed in a second table
- Observe that the controller's JSON response has not had a breaking change by visiting the
.json
version, e.g.https://gdk.test:3443/-/user_settings/personal_access_tokens.json
Related to #462217