Skip to content

Token prefixes: Instance wide prefix only matches are invalid

Nicholas Wittstruckrequested to merge
gitlab-community/gitlab-org/gitlab:388379-nwittstruck-token-prefixes-fix-oauth-split into master

What does this MR do and why?

Authn::Tokens::OauthApplicationSecrets.prefix? returns true even if only the instance wide prefix matched. This caused other tokens to be wrongly identified as OauthApplicationSecrets. E.g. instancewideprefix-glpat would be identified as an OauthApplicationSecret, since the occurence of gloas is not properly checked for tokens with instance wide prefixes. Only tokens starting with gloas or instancewideprefix-gloas should match.

This MR fixes this behaviour by properly extracting the gloas- from the OAUTH_APPLICATION_SECRET_PREFIX_FORMAT. Instead of using split('-'), we are now deleting the format at the end of the string.

References

How to set up and validate locally

  1. Start the rails console: bundle exec rails c
  2. Enable the feature flag Feature.enable(:custom_prefix_for_all_token_types)
  3. Change the instance wide token prefix: Admin area > General > Account and limit > Instance token prefix, e.g. to mycustomprefix
  4. Without this MR, Authn::Tokens::OauthApplicationSecret.prefix?('mycustomprefix-glpat') in rails console will return true, because gloas is removed by split as well. With this MR, the same command will return false, as it now properly checks that gloas is also included.
  5. Test with Authn::Tokens::OauthApplicationSecret.prefix?('mycustomprefix-gloas-token') to validate that the behaviour works for a correct token.

MR acceptance checklist

checklist

Related to #388379

Edited by Nicholas Wittstruck

Merge request reports