Improve Conan package registry authentication method
Description
At the moment, the usage of the Conan package registry in a development environment where package version changes are frequent is a bit of a pain because of the authentication expires way too frequently.
While I saw the reasoning behind the current value for the JWT token expiration in here !60763 (merged), 1 day is still way too short and since it forces our developers to regenerate a PAT basically every day, or store it somewhere (which is unsafe), to reauthenticate to the registry.
I would like to either:
- let us administrators of self-hosted instances decide the expiration time of the JWT token: this way GitLab wouldn't be responsible if something happens, we are in charge of our instance, and we can tweak the value based on our needs
- change the authentication method: I don't really know if this is feasible or not, but I see that there is the possibility to use an LDAP Authentication plugin (https://github.com/uilianries/conan-ldap-authentication) or even create a custom authenticator (https://docs.conan.io/en/latest/uploading_packages/running_your_server.html#create-your-own-custom-authenticator)
Is this something we could investigate on?
I would love to have a better look and help out but I am missing the background on both the GitLab integration and Conan "hosting"
Proposed solution
Deploy token
By default a deploy token never expires docs, but it's possible to set expiration time during the token creation. Having a JWT that never expires might be a security aspect, but to set the expiration time of JWT when there's one for a deploy token might be a good option.
CI job token
CI job token is valid only during the job execution: docs. The current 1 hour expiration time of JWT seems good enough, of course until we have long running tasks. But perhaps, we could deal with it in the follow up.
Thus, we skip them for now.
Personal access token
We could set the expiration time of Conan JWT token from personal access token when we create it here. We'll need to change the ConanToken to accept the optional argument token when we initialize it.