See https://docs.gitlab.com/ee/architecture/blueprints/cells/routing-service.html for background 1. Assume the Cell is configured to generate all secrets and session cookies with a prefix. 2. The routing service will route to that cell if it reads such a header like `GITLAB_TOKEN` that matches the prefix, following https://docs.gitlab.com/ee/architecture/blueprints/cells/routing-service.html#router-configured-to-perform-static-routing * `priority` for this rule is to be determined NOTE, there are many different types of Tokens so we may need to prioritize which ones to implement first: - `GITLAB_TOKEN` header (personal access tokens) - `Authorization: Bearer` for Direct Transfer (https://gitlab.com/gitlab-org/gitlab/-/issues/434968#note_1760557290) - [`UNLEASH-INSTANCEID` header](https://gitlab.com/gitlab-org/gitlab/-/issues/439323#note_1749596746) - Others ## Proposal 1. Update the Rails application to have tokens be prefixable via the [organization](https://gitlab.com/gitlab-org/gitlab/-/issues/442344) or another top-level actor. - We need to keep in mind that if an organization gets moved to a different cell, the token needs to continue to work. 2. Update the router rules generated by the Rails application with the appropriate rules for tokens. NOTE: the router will need to call [classify service](https://gitlab.com/gitlab-org/gitlab/-/blob/d68090313c1a5102318bec9847c7f9638c7e2482/doc/architecture/blueprints/cells/routing-service.md#classification) 3. Ensure all secret detection code (e.g. regexes) are updated to match un-Cell-prefixed and Cell-prefixed tokens - For the PoC: https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/lib/utils/secret_detection.js - Before productionizing, there is a list of places here: https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#token-prefixes