[Feature request] "self" endpoints for token rotation
Problem to solve
As of v16.x, group, project, and personal access tokens can all be rotated; that's awesome. This will surely make it easier to prevent disruption of automated processes due to token expiration.
One deficiency here is that rotation, presently, must be done in two steps: one API call to get a token's ID and a subsequent API call that includes the token value (by header) and the token ID (URL path) to conduct the actual rotation).
For example:
# Get old token's ID
$ curl --silent -X GET --header "PRIVATE-TOKEN: <OLD_TOKEN>" https://gitlab.dell.com/api/v4/personal_access_tokens/self | jq
{
"id": <OLD_TOKEN_ID>,
"name": "testrotation",
"revoked": false,
"created_at": "2023-09-28T22:37:06.377Z",
"scopes": [
"api"
],
"user_id": 43793,
"last_used_at": "2023-09-28T22:37:50.669Z",
"active": true,
"expires_at": "2023-10-28"
}
# Use token and its ID to rotate it
$ curl --silent -X POST --header "PRIVATE-TOKEN: <OLD_TOKEN>" https://gitlab.dell.com/api/v4/personal_access_tokens/<OLD_TOKEN_ID>/rotate | jq
{
"id": 34992,
"name": "testrotation",
"revoked": false,
"created_at": "2023-09-28T22:39:33.907Z",
"scopes": [
"api"
],
"user_id": 43793,
"last_used_at": null,
"active": true,
"expires_at": "2023-10-05",
"token": "<NEW_TOKEN>"
}
# Confirm that old token is expired
$ curl --silent -X POST --header "PRIVATE-TOKEN: <OLD_TOKEN>" https://gitlab.dell.com/api/v4/personal_access_tokens/34991/rotate | jq
{
"error": "invalid_token",
"error_description": "Token was revoked. You have to re-authorize from the user."
}Proposal
I propose introducing introspective endpoints for token rotation.
For example, rotation of a PAT with a single API call:
curl --silent -X POST --header "PRIVATE-TOKEN: <OLD_TOKEN>" https://gitlab.dell.com/api/v4/personal_access_tokens/self/rotateIntended users
Token enjoyers
Thank you