Do not run validations on AccessToken revocation

Aboobacker MKrequested to merge
tachyons_fix_access_token_revocation into master

Related to #463399 (closed)

What?

It allows users to immediately revoke existing PATs that has an expire_at: time less that the admin set max_personal_access_token_lifetime_in_days.

Why?

When the access token expiry is updated, existing tokens may fail the validation. So those records will get stuck without being able to delete. This commit fixes that by skipping rails model level validations on access token revocation.

Steps To Reproduce

  1. Go to Admin area - Settings > General and expand Account and limit section.
  2. Scroll down and clear any value set in Maximum allowable lifetime for access token (days).
  3. Save changes
  4. Go to your project and create a new project access token (Settings > Access tokens)
  5. Set expiry date 5 months from today (example: Nov 11, 2024)
  6. Save token.
  7. Open a database session (gdk psql) and change the created_at and updated_at values for this token to mimic a token created in the past:
select * from personal_access_tokens order by id desc; #find the token you just created
update personal_access_tokens set created_at='2022-06-23 19:26:21.023552', updated_at='2022-06-23 19:26:21.023552' where id in(<ID_OF_TOKEN>) and user_id=<USER_ID>;

Verify the update

SELECT * FROM personal_access_tokens WHERE id = <token_id>;
  1. Verify token shows correct expiry and creation date on the UI, after refreshing.
  2. Go to Admin area. Set the value for Maximum allowable lifetime for access token (days) to 30. Save changes.
  3. Refresh project access tokens page.
  4. Revoke token. A flash alert shows: Revoked access token <PrAT Name>!

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hakeem Abdul-Razak

Merge request reports