Skip to content

Admin Token API: Identify GitLab sessions

Nicholas Wittstruck requested to merge gitlab-community/gitlab-org/gitlab:512654-nwittstruck-admin-token-api-post-gitlab_session into master

What does this MR do and why?

Adds support to the Admin Token API to identify the user of a _gitlab_session.

Issue: #512654 (closed)

🛠️ with ❤️ at Siemens

References

MR acceptance checklist

MR Checklist ( @nwittstruck)

How to set up and validate locally

  1. You'll need to create a personal access token to access the token and get a _gitlab_session that you'd like to query:

    1. Create a personal access token with admin_mode and api capabilities. Preferences > Access Tokens > Add a new token
    2. You'll need a _gitlab_session. The easiest way to get this is to get a session from your browser. Navigate to your gdk, e.g. https://gdk.test:3443 and sign in. After signing in, there should be a session key and a value in your cookie store. In Firefox, open the developer console and go to Storage > Cookies. It's mostly the same in Chrome/Safari. This should get you a key: _gitlab_session_abc123 and a value: long-string-with-numbers. You need to join both: _gitlab_session_abc123=long-string-with-numbers. For comparison, on gitlab.com, the key would be just _gitlab_session=. However, in development mode, a unique key is added to the prefix (in the example, abc123).

  2. Now you can retrieve information about this token:

curl -k --request POST \
--url 'https://gdk.test:3443/api/v4/admin/token' \
--header 'Authorization: Bearer <Admin Token from Step 2.1>' \
--header 'Content-Type: application/json' \
--data '{"token": "_gitlab_session_abc123=long-string-with-numbers"}'

Related to #512654 (closed)

Edited by Nicholas Wittstruck

Merge request reports