Personal access token expiry policy ("lifetime")
Problem Statement
Currently, users can optionally specify an expiration date for personal access tokens. This expiration date is not a requirement, and can be set to any arbitrary date.
Since PATs are the only token needed for programmatic access to GitLab, organizations with security requirements may want to enforce more protection to require regular rotation of these tokens.
Proposal
- Add this as a new setting to the "Account and limit" settings area in
/admin/application_settings. Looking something like this:
- Add a setting that allows an administrator to require that personal access tokens must have an expiration date with a maximum
from_nowof X days.- Blank value = no limit.
- When an integer is present:
- Attempts to create PATs on the instance beyond this threshold should result in an error. "Personal access tokens must expire on (DATE) or earlier.
What do we do with existing tokens?
- Existing tokens should be revoked. We should inform the user:
- Email notice that their PAT has been revoked due to an application setting and needs to be regenerated.
- Attempting to use an expired PAT should emit an error that the PAT is no longer valid and needs to be regenerated.
- Stretch goal: 7 days before a PAT expires, warn the user one time via email (your PAT is about to expire) and emit an error every time the PAT is used.
The above should include PATs for administrators.
Additional
For time being @smcgivern provided a work around (untested):
gitlab-rails r 'PersonalAccessToken.active.where(expires_at: nil).update_all(expires_at: 1.week.from_now)'
Links / references
Documentation blurb
Overview
What is it? Why should someone use this feature? What is the underlying (business) problem? How do you use this feature?
Use cases
Who is this for? Provide one or more use cases.
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Feature assurance -
Documentation -
Added to features.yml