Unify Personal Access Token expiration behavior
What does this MR do and why?
Describe in detail what your merge request does and why.
Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/364526
Previously some portions of GitLab used Expirable concern scopes to determine whether a token was valid and other areas used the PAT model active scope. One scope treated tokens as expired at midnight on expiration day while the other used end of day. This change unifies the behavior to beginning of day.
Both the container registry and dependency proxy authentication use the JwtController
to call Gitlab::Auth.find_for_git_client
. This method cascades through potential authentication methods including personal access tokens using the PersonalAccessTokenFinder
. The finder_options
passed in include state active
, which will use the modified active
scope defined in this MR.
As a result, personal access tokens expire at the beginning of the day (server time) vs. end of day.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.