Skip to content

Add PAT automatic reuse detection in AuthFinders

Imre Farkas requested to merge if-395352-pat_automatic_reuse_detection into master

What does this MR do and why?

Adds automatic reuse detection for personal access tokens. When a rotated (and thus revoked) token is used, the latest and still active token is automatically revoked with this feature.

This is limited to the API. We will need to add it to git+HTTP auth in a follow-up.

The documentation for the feature is going to be added in a separate MR.

Related to #395352 (closed).

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  1. create a personal access token
  2. rotate the personal access token
  3. confirm the new token works by querying any API endpoint requiring authentication
  4. make another request to the API, but authenticate with the old token this time
  5. expectation: the new token no longer works

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Imre Farkas

Merge request reports

Loading