Notification emails for Personal Access Token creation
Release notes
The creation of Personal Access Tokens is a critical event that should be carefully reviewed by users. They can allow read-write actions on all the projects the user has access to if the scope is api
for example. GitLab will now send notifications to the user every time a token is created for their account.
Problem to solve
It's a basic security best practice. As demonstrated by @dcouture in his (great) video (internal), attackers can leverage vulnerabilities to create PATs for accounts visiting a page with a crafted comment. The victim doesn't have to do anything apart from visiting the page, and they won't notice anything suspicious unless they keep the network view of their browser open (of course, no one does that on a daily usage).
Proposal
Sending notifications would at least let the user know something happened with their account, and they can report the malicious activity faster, and revoke the created token right away.