Prefix all authentication tokens for easier detection
When logging requests and other data GitLab tries to filter tokens to the best of our extend. However, if any tokens got missed its hard to detect and this might only get noticed after an incident.
My proposal would be to use a fixed prefix for all authentication tokens we use, to be set on `add_authentication_token_field :token`
Example;
```ruby
#Ci::Build model
add_authentication_token_field :token, format_with_prefix: :prefix_for_token
# ...
def prefix_for_token
'glprefix-'
end
```
The token as output should be `glprefix-<SecureRandomToken>`. This change should be backwards compatible, so token being used right now should still work.
## Tokens without prefix
As of 2022-09-23
- Instance runner registration token (specific runners have a prefix, generated by admins in `/admin/runners`)
- https://gitlab.com/gitlab-org/gitlab/-/issues/383198 Runner token (the one the runner receives after using the registration token)
- https://gitlab.com/gitlab-org/gitlab/-/issues/376752 Deploy tokens
- https://gitlab.com/gitlab-org/gitlab/-/issues/376751 Health Check access token (generated by admins in `/admin/health_check`
- https://gitlab.com/gitlab-org/gitlab/-/issues/376750 Incoming email token (per user, `/-/profile/personal_access_tokens`)
- https://gitlab.com/gitlab-org/gitlab/-/issues/376749 Feed token (per user, `/-/profile/personal_access_tokens`)
- https://gitlab.com/gitlab-org/gitlab/-/issues/376747 OAuth application secret
- wouldn't hurt to prefix the OAuth Application ID either :shrug:
- https://gitlab.com/gitlab-org/gitlab/-/issues/389472 Kubernetes Agent token
(Updated 2023-09-25)
- https://gitlab.com/gitlab-org/gitlab/-/issues/426137+
## Rotation roll-out
For each token type, we should do a planned rotation (if appropriate). [Example](https://gitlab.com/gitlab-org/gitlab/-/issues/414290)
epic