feat: add token prefix (!20968) · Merge requests · GitLab.org / GitLab

The 17.0 major release is coming on May 16, 2024! This version brings many exciting improvements to GitLab, but also removes some deprecated features. We are introducing three breaking change windows during which we expect breaking changes to be deployed to GitLab.com. You can read more about it on our blogpost . The first breaking change window begins 2024-04-22 09:00UTC and ends 2024-04-24 22:00UTC.

Max Wittig requested to merge siemens/gitlab:feat/token-prefix into master Nov 29, 2019

What does this MR do?

This merge requests adds a prefix to every personal access token, which makes it easier to distinguish them from other tokens and also makes it possible to find them using tools like gitleaks, which in turn uses rules to identify keys.

AWS also uses a prefix to identify their keys: AKIAIOSFODNN7EXAMPLE

🛠 with ❤ at Siemens

Screenshots

Database

$ bin/rake db:migrate

== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: migrating =
-- add_column(:application_settings, :personal_access_token_prefix, :text)
   -> 0.0016s
== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: migrated (0.0017s)

== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: migrating
-- transaction_open?()
   -> 0.0000s
-- current_schema()
   -> 0.0003s
-- execute("ALTER TABLE application_settings\nADD CONSTRAINT check_718b4458ae\nCHECK ( char_length(personal_access_token_prefix) <= 20 )\nNOT VALID;\n")
   -> 0.0026s
-- current_schema()
   -> 0.0002s
-- execute("SET statement_timeout TO 0")
   -> 0.0002s
-- execute("ALTER TABLE application_settings VALIDATE CONSTRAINT check_718b4458ae;")
   -> 0.0013s
-- execute("RESET ALL")
   -> 0.0002s
== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: migrated (0.0139s)

$ bin/rake db:rollback STEP=2

== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: reverting
-- execute("ALTER TABLE application_settings\nDROP CONSTRAINT IF EXISTS check_718b4458ae\n")
   -> 0.0009s
== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: reverted (0.0039s)

== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: reverting =
-- remove_column(:application_settings, :personal_access_token_prefix, :text)
   -> 0.0023s
== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: reverted (0.0024s)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

@gitlab-com/gl-security/appsec security

Edited Dec 03, 2020 by Diego Louzán

Admin message

feat: add token prefix