Use secure defaults for token storage in TokenAuthenticatable
What does this MR do and why?
Use a secure default for token storage in TokenAuthenticatable.
The current default in TokenAuthenticatable if encrypted or digest storage strategies are not mentioned is insecure storage. 4 token types - Health check access token, SAML discovery token, Incoming email token and Feed token do not describe any storage strategy when add_authentication_token_field is called, so these 4 tokens are stored in plain text (as-is) in the database.
This MR is about changing the default in TokenAuthenticatable from from insecure to digest as a security best practice, thus this change in lib/authn/token_field/base.rb.
As @rymai mentioned here, we need to introduce an explicit insecure: true to the 4 four tokens that implicitly use it now, to not break them. The work to move these tokens from insecure to encrypted or digest storage is happening in different issues (see below) and is outside the scope of this MR.
- Verify the usage for saml_discovery_token and r... (#517560)
- https://gitlab.com/gitlab-org/gitlab/-/issues/24682+
- https://gitlab.com/groups/gitlab-org/-/epics/9005+
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #519551 (closed) and Align TokenAuthenticatable with security best p... (&16713).