Only expose `id` and `name` attributes when serializing deploy token
What does this MR do and why?
Related to #353686
In app/views/shared/deploy_tokens/_table.html.haml#L28 we are serializing the entire deploy token object and passing it to the frontend. This means the token and token_encrypted attributes are exposed in the HTML when they don't need to be. The frontend only needs the name and id attributes.
This is a user generated token so the user has already seen the token value but we do tell the user that "The password can not be recovered" so we should not expose it.
It was confirmed with security that this MR can be opened in gitlab-org/gitlab - https://gitlab.com/gitlab-org/security/gitlab/-/issues/615#note_854478625
Screenshots or screen recordings
Still works the same as before.
Projects
| Before | After |
|---|---|
| Screen_Recording_2022-02-24_at_10.33.29_AM | Screen_Recording_2022-02-24_at_10.25.35_AM |
Groups
| Before | After |
|---|---|
| Screen_Recording_2022-02-24_at_10.32.38_AM | Screen_Recording_2022-02-24_at_10.26.41_AM |
How to set up and validate locally
Projects
- Navigate to a project ->
Settings->Repository - Create a deploy token
- Click the
Revokebutton and confirm
Groups
- Navigate to a group ->
Settings->Repository - Create a deploy token
- Click the
Revokebutton and confirm
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.