Are we impacted by the GitLab.com 15.0 breaking changes?

GitLab 15.0 is rolling out to GitLab.com sometime between April 23 – May 22 and includes a number of breaking changes that might affect us.

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces breaking changes that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

OAuth changes

• The OAuth implicit grant authorization flow is being removed, https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#oauth-implicit-grant
  • gitlab-org/gitlab#288516 (closed)
  • Do we use this? Our Passport strategy is https://github.com/fh1ch/passport-gitlab2
  • Based on https://www.youtube.com/watch?v=t_4CmFRyKk0, I don't think we use the implicit flow. AFAICT, we use the authorization_code flow from the video.
  • https://oauth.net/2/grant-types/implicit/
  • https://docs.gitlab.com/14.10/ee/api/oauth2.html#authorization-code-flow
  • https://docs.gitlab.com/14.10/ee/api/oauth2.html#implicit-grant-flow-deprecated
• OAuth tokens get expiration dates (expire after 2 hours), https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#oauth-tokens-without-expiration
  • -> Fixes:
    • !2284 (merged)
    • !2283 (merged)
  • gitlab-org/gitlab#340848 (closed)
  • gitlab-org/gitlab#351182 (closed)
  • I think this affects us since currently we rely on access tokens working forever after signing in.
  • For GitLab, we seem to save the refreshToken as identity.accessTokenSecret even though identity also has a refreshToken field. Although we currently don't do anything with the refreshToken.
    • We can fix the code to write to the proper identity.refreshToken field
    • And then write a migration to fix all of the existing GitLab users.
  • "To retrieve a new access_token, use the refresh_token parameter. Refresh tokens may be used even after the access_token itself expires." -- https://docs.gitlab.com/14.10/ee/api/oauth2.html#authorization-code-flow
  • All of our code that needs a GitLab access token already uses getGitlabAccessTokenFromUser(user) which is async so we could also add in the necessary logic to refresh the token. But we probably want to add identity.accessTokenExpires date to compare against

CI Changes

• "We are removing retire.js from Dependency Scanning on May 22, 2022 in GitLab 15.0", https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#retire-js-dependency-scanning-tool
  • Probably need to remove .gitlab-ci.yml#L479-481
  • -> !2280 (merged)
• "In GitLab 15.0, GitLab SAST will no longer use the following analyzers: ESLint (JavaScript, TypeScript, React), Gosec (Go), Bandit (Python)", https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#sast-analyzer-consolidation-and-cicd-template-changes
  • We have the ESLint one set which probably needs to be removed: .gitlab-ci.yml#L499-501
  • -> !2280 (merged)