[E2E] Do not reveal PAT during fabrication (!131299) · Merge requests · GitLab.org / GitLab

John McDonnell requested to merge jmd/do-not-reveal-access-token into master Sep 08, 2023

What does this MR do and why?

We shouldn't reveal the PAT during test execution to minimise the surface area for test PATs to be leaked if a screenshot/recording hits this page.

There's no need to reveal the token on our Access Token creation page, as .value is able to extract the token value even if the browser is rendering it with asterixis.

Screenshots or screen recordings

Screen_Recording_2023-09-08_at_17.14.43

How to set up and validate locally

Run some tests that hit the access token flow - perhaps an easy example is if you do not have a GITLAB_QA_ACCESS_TOKEN set which leads test to fabricate this resource on demand.

$ unset GITLAB_QA_ACCESS_TOKEN
$ unset GITLAB_QA_ADMIN_ACCESS_TOKEN
$ bundle exec rspec qa/specs/features/ee/browser_ui/10_govern/group/group_audit_logs_1_spec.rb:54

Note that with this change in place the test doesn't reveal the access token but still can use the value as required later in the test.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 08, 2023 by John McDonnell

[E2E] Do not reveal PAT during fabrication

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports