[E2E] Do not reveal PAT during fabrication
What does this MR do and why?
We shouldn't reveal the PAT during test execution to minimise the surface area for test PATs to be leaked if a screenshot/recording hits this page.
There's no need to reveal the token on our Access Token creation page, as .value
is able to extract the token value even if the browser is rendering it with asterixis.
Screenshots or screen recordings
Screen_Recording_2023-09-08_at_17.14.43
How to set up and validate locally
Run some tests that hit the access token flow - perhaps an easy example is if you do not have a GITLAB_QA_ACCESS_TOKEN
set which leads test to fabricate this resource on demand.
$ unset GITLAB_QA_ACCESS_TOKEN
$ unset GITLAB_QA_ADMIN_ACCESS_TOKEN
$ bundle exec rspec qa/specs/features/ee/browser_ui/10_govern/group/group_audit_logs_1_spec.rb:54
Note that with this change in place the test doesn't reveal the access token but still can use the value as required later in the test.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.