Skip to content

Add custom instance wide prefix for tokens

Nicholas Wittstruckrequested to merge
gitlab-community/gitlab-org/gitlab:388379-nwittstruck-allow-custom-token-prefix-for-all-token-types into master

What does this MR do and why?

This MR adds a flag to the application settings for instance wide token prefixes. It starts with support for feed_tokens, as they are easy to test and show the concept. I'll add support for other token types in follow-up MRs once this approach has been approved.

Currently, users can define a prefix for personal access tokens. Other token types, do not support custom prefixes yet.

This MR proposes to add an instance wide prefix, that is set to gl by default. The new prefix format is: #{instance_prefix}#{token_type_prefix}. E.g. for feed tokens, we'd get: #{instance_prefix}ft-. By default, this is the current token prefix glft-. However, we can now customize the instance prefix to create a new prefix: my-company-name-ft-.

With this custom prefix, it is easier to identify leaked tokens, because we can now skip all leaked tokens that start with gl. Now, we only need to look at tokens starting with my-company-name-.

🛠️ with ❤️ at Siemens

References

MR acceptance checklist

MR Checklist ( @nwittstruck)

Screenshots or screen recordings

Screenshot_2025-01-31_at_15.27.42 Screenshot_2025-01-31_at_15.28.37

How to set up and validate locally

  1. Enable feature flag via rails c:
Feature.enable(:custom_prefix_for_all_token_types)

  1. Run migrations with bin/rails db:migrate (and down with bin/rails db:migrate:down:main db:migrate:down:ci VERSION=20250126160646)

  2. Change the instance token prefix in the admin settings: Admin area > General > Account and limit > Instance token prefix, e.g. to my-new-prefix

  3. Reset your feed token at User Settings > Access tokens > Feed Token. It should now show a new token starting with my-new-prefix.

Related to #388379

Edited by Nicholas Wittstruck

Merge request reports