Admin Token API: Revoke GitLab Session

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

This MR adds support for revocation of GitLab sessions to the Admin token API. In this case, revocation is done by deleting the session. This is consistent with the Revoke button in the User Settings > Active Sessions UI

Issue: #517699 (closed)

🛠️ with ❤️ at Siemens

Changelog: added

References

• Epic
• Issue
• Admin token API documentation

MR acceptance checklist

checklist

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides

How to set up and validate locally

1. Enable the feature flag with rails c:

Feature.enable(:api_admin_token_revoke)

You'll need to create a personal access token to access the token and get a _gitlab_session that you'd like to query:

1. Create a personal access token with admin_mode and api capabilities. Preferences > Access Tokens > Add a new token

2. You'll need a _gitlab_session. The easiest way to get this is to get a session from your browser. Navigate to your gdk, e.g. https://gdk.test:3443 and sign in. After signing in, there should be a session key and a value in your cookie store. In Firefox, open the developer console and go to Storage > Cookies. It's mostly the same in Chrome/Safari. This should get you a key: _gitlab_session_abc123 and a value: long-string-with-numbers. You need to join both: _gitlab_session_abc123=long-string-with-numbers. For comparison, on gitlab.com, the key would be just _gitlab_session=. However, in development mode, a unique key is added to the prefix (in the example, abc123).

3. Now you can retrieve information about this token:

curl -k --request POST \
--url 'https://gdk.test:3443/api/v4/admin/token' \
--header 'Authorization: Bearer <Admin Token from Step 2.>' \
--header 'Content-Type: application/json' \
--data '{"token": "_gitlab_session_abc123=long-string-with-numbers"}'

4. Now, revoke the token:

curl -k --request DELETE \
--url 'https://gdk.test:3443/api/v4/admin/token \       
--header 'Authorization: Bearer <Admin Token from Step 1.>' \
--header 'Content-Type: application/json' \
--data '{"token": "_gitlab_session_abc123=long-string-with-numbers"}'

5. Query the token again - you should now see that the status changed to Not Found, as the session no longer exists. You can also verify this in User Settings > Active Sessions

Related to #517699 (closed)