Skip to content

Draft: MVC for advanced scoped tokens

Félix Veillette-Potvin requested to merge fvpotvin-mvc-advanced-scoped-tokens into master

What does this MR do and why?

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

It adds a new field when creating personal access tokens:

image image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. In rails console enable the experiment for a selected user (this will do the user with id, typically root): 
    user = User.find(1)
Feature.enable(:advanced_token_scopes, user)
  2. Visit the personal access token while logged in as that user: http://127.0.0.1:3000/-/user_settings/personal_access_tokens
  3. Click the Add new token button.
  4. Enter an example regexp for the token in the Advanced scopes textbox, such as: 
    ^GET$|^POST$ ^/api/v4/projects/9/issues$
^GET$ ^/api/v4/projects/9/issues/\d*$
  5. You can validate that the token only has access to what it is supposed to with the regexp with example for the previous regex: 
    curl -H "Authorization: Bearer YOUR_PAT" \
 -X GET "https://http://127.0.0.1:3000/api/v4/projects/9/issues"
Edited by Félix Veillette-Potvin

Merge request reports