Improve token related documentation
Problem to solve
In doc/user/profile/personal_access_tokens.md
we don't provide examples how to use the token.
gitlab-foss!31519 (closed) tried to do that, but as this has some security implications, a security engineer got involved and suggested not to document the insecure capability, but rather stick to Personal Access Token usage for API calls via the Private-Token
header. The contributor didn't like that and closed the MR.
I think we should still be able to improve on the current documentation though.
Proposal
These ideas come from the above MR.
For example just adding a warning to say that the feature is insecure would already be an improvement in my opinion.
GitHub on their "Git automation with OAuth tokens" page has the following warning at the bottom of the page:
Warning: Tokens have read/write access and should be treated like passwords. If you enter your token into the clone URL when cloning or adding a remote, Git writes it to your .git/config file in plain text, which is a security risk.
We could perhaps talk about using a git credential helper and configuring it so that the token is stored encrypted, as described in https://stackoverflow.com/questions/53305965/whats-the-best-encrypted-git-credential-helper-for-linux too.
Suggesting in the doc that users rather stick to Personal Access Token usage for API calls via the Private-Token
header would also be an improvement.
Who can address the issue
My opinion is that this issue would be best addressed if @gitlab-com/gl-security/appsec could collaborate with documentation specialists.
/cc @marcel.amirault