Apply secure defaults for access tokens
What does this MR do and why?
Many people create tokens just to test something out quickly and will use the default values because they want to go quickly. Then this token, which isn't used ever again, risks being leaked and compromising the user and their organization.
By having a default value in this field we're reducing the lifetime of tokens that weren't meant to last forever and also reducing the potential for leaks.
We're also setting the default access level to guest instead of maintainer for project and group access tokens. Hopefully this minor change will make people choose the lowest permissions needed instead of just leaving the default "maintainer" value and have a token with too much permissions.
This work is in relation with https://gitlab.com/gitlab-com/gl-security/security-department-meta/-/issues/1397
Relates to #348660 (closed)
Thanks
Special mention to @greg who mentioned the default expiration date idea during the AppSec shadow program.
Screenshots or screen recordings
EDIT: I didn't re-take all the screenshots below, but the date clear button works now
Screencast_from_2022-07-25_09_31_38_AM
Personal Access Tokens
Project Access Tokens
Group Access Tokens
How to set up and validate locally
- Visit the Personal Access Token page (http://gdk.test:3000/-/profile/personal_access_tokens) and observe the default date
- Visit the Project Access Token page (http://gdk.test:3000/flightjs/Flight/-/settings/access_tokens) and observe the default date and role
- Visit the Group Access Token page (http://gdk.test:3000/groups/flightjs/-/settings/access_tokens) and observe the default date and role
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.