Skip to content

Resolve "Clarify call to action for expired active tokens" [RUN AS-IF-FOSS]

Dennis Tang requested to merge 222734-clarify-call-to-action-for-expired-active-tokens into master

What does this MR do?

We add some visual clarification around expired personal access tokens:

  • Add a clarifying description when revoke on expiration is not enforced.
  • Move the Scopes column to right after the Name column.
  • Only use the Primary Danger button for PAT that have expired, and use Secondary Danger button for everything else

Testing & Setup

  1. Run the following in rails c to create the access tokens:
FactoryBot.definition_file_paths = [Rails.root.join('ee', 'spec', 'factories')]
FactoryBot.find_definitions

# Admin user
user = User.find_by_id(1)

# Create tokens
FactoryBot.create(:personal_access_token, user: user, expires_at: 1.days.ago) # Expired token
FactoryBot.create(:personal_access_token, user: user) # Active token
  1. View the personal access tokens page at [GDK_HOST]/-/profile/personal_access_tokens

Screenshots (strongly suggested)

Personal access tokens

Message displays when personal access token expiration is not enforced.

Before After (not enforced) After (enforced)
Bildschirmfoto_2021-04-14_um_13.13.42 Bildschirmfoto_2021-04-14_um_13.14.57 image

Project tokens

No visible change.

Before After
image image

Impersonation tokens

No visible change.

Before After
image image

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team

Related to #222734 (closed)

Edited by Jiaan Louw

Merge request reports