Add PAT automatic reuse detection in AuthFinders
What does this MR do and why?
Adds automatic reuse detection for personal access tokens. When a rotated (and thus revoked) token is used, the latest and still active token is automatically revoked with this feature.
This is limited to the API. We will need to add it to git+HTTP
auth in a follow-up.
The documentation for the feature is going to be added in a separate MR.
Related to #395352 (closed).
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
- create a personal access token
- rotate the personal access token
- confirm the new token works by querying any API endpoint requiring authentication
- make another request to the API, but authenticate with the old token this time
- expectation: the new token no longer works
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Imre Farkas