Display tokens that have do not have expiry enforced
Problem Statement
In !33783 (merged), we introduced the option to toggle Personal Access Token Expiry Enforcement.
Consider a situation when expiry is not enforced and a token expires. The user can continue to use the token (we will be showing in-app banner as part of !34101 (merged)), however there is no way for the user to revoke the access for the token from the UI if they want to. The inactive tokens are not displayed in the user's Personal Access Token page.
What does this MR do?
This MR shows the tokens that have expired yet are active in the list of Active Tokens. In order to make it explicit to the user, the token is shown as Expired
with a tool-tip that says Expiration not enforced
.
Mentions #214723 (closed)
Screenshots
Query
SELECT
"personal_access_tokens".*
FROM
"personal_access_tokens"
WHERE
"personal_access_tokens"."user_id" = 641
AND "personal_access_tokens"."impersonation" = FALSE
AND (("personal_access_tokens"."revoked" = FALSE
OR "personal_access_tokens"."revoked" IS NULL)
AND (expires_at <= '2020-06-17 17:23:06.003591')
OR (revoked = FALSE
AND (expires_at >= NOW()
OR expires_at IS NULL)))
ORDER BY
"personal_access_tokens"."expires_at" ASC
Execution time:
Time: 8.052 ms
- planning: 0.409 ms
- execution: 7.643 ms
- I/O read: 7.404 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 0 from the buffer pool
- reads: 4 (~32.00 KiB) from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
Execution plan: https://explain.depesz.com/s/DBrN
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team