Skip to content

Display inactive resource access tokens when feature flag enabled

Nick Malcolm requested to merge 462217-display-revoked-tokens into master

What does this MR do and why?

This MR updates Project and Group Access Token pages to show inactive (expired or revoked) tokens. Part 2 of List Revoked and Expired Project and Group Acce... (#462217).

Following on from Retain resource access token bot users after re... (!157130 - merged), this change is also behind the new feature flag retain_resource_access_token_user_after_revoke.

The way Project and Group Access Tokens were expired and revoked in the past meant that the associated bot user was deleted, and so there was no way to show the tokens in the UI. Now, Group and Project Access Token pages will display these tokens and allow easier auditing and review of inactive tokens.

This is done by including a second table of Inactive tokens underneath the current Active tokens table. No actions can be taken on each row.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Notes for reviewers

  1. ~~ UX I felt it was confusing for the Inactive Tokens table to include an "Expires At" column given that it could expire in the future and still have been manually revoked. If a token is inactive it doesn't matter what its expiry date is.~~ The Expires column is back!
  2. backend The code around paginating the JSON response is a bit jank IMO. I wanted to leave the JSON response alone to avoid introducing a breaking change - but perhaps that's OK if the controller is only used by our JavaScript?
    1. Edit: this doesn't matter. I enabled the access_token_pagination flag and the Active Access Token limits it to 20 tokens and doesn't display any pagination controls - i.e. active tokens are hidden from view. Pagination is still under development with no ETA: Add offset-based pagination to list personal/gr... (&8382). All Active and Inactive Tokens will be displayed on the page, so the list will get big after a while.
  3. backend this doesn't have a Changelog because it's feature flagged and disabled by default
  4. frontend I was really trying to reuse existing components and patterns but frontend is not my forte. Please help improve the code! 😅
  5. ~~ ~ux and/or frontend Pagination is another thing to consider, unless we just want to arbitrarily limit it to "the most recently updated 20 inactive tokens"?~~ Pagination is not implemented for Active Tokens yet. The default behaviour will be to show an ever-growing list. [Feature flag] Enable sending paginated data fo... (#366534)

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2024-06-27_at_4.44.20_PM Screenshot_2024-07-08_at_2.18.05_PM
Screenshot_2024-06-27_at_4.45.38_PM Screenshot_2024-07-08_at_2.18.21_PM
Screenshot_2024-06-27_at_4.46.54_PM No change - included for completeness
Screenshot_2024-06-27_at_4.50.07_PM No change - included for completeness; notably doesn't differentiate between active and revoked 🤷

How to set up and validate locally

  1. In rails console enable the experiment fully, or for a specific group or project 
    Feature.enable(:create_resource_access_tokens)
  2. Visit any group or project resource pages such as http://127.0.0.1:3000/groups/flightjs/-/group_members
  3. Create and revoke tokens if needed
  4. Observe that both expired and revoked tokens are displayed in a second table
  5. Observe that the controller's JSON response has not had a breaking change by visiting the .json version, e.g. https://gdk.test:3443/-/user_settings/personal_access_tokens.json

Related to #462217

Edited by Nick Malcolm

Merge request reports