Draft: Admin Token API: Revoke token
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.
What does this MR do and why?
This commit adds an admin API for token revocation.
Adds a REST API that allows the following:
DELETE /api/v4/admin/token
Attribute | Type | Required | Description |
---|---|---|---|
token |
string | Yes | Token that should be revoked. |
Issue: #499958
MR acceptance checklist
MR Checklist ( @nwittstruck)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
How to set up and validate locally
- Enable feature flag via
rails c
:
Feature.enable(:admin_agnostic_token_finder)
-
You'll need to create two new personal access tokens: https://gdk.test:3443/-/user_settings/personal_access_tokens
- A
personal access token
withadmin
capabilities. - A
personal access token
with limited capabilities that you want to revoke. You can also revoke the admin token if you'd like, however for testing I prefer to use separate tokens.
- A
-
Now you can revoke a token:
curl -k --request DELETE \
--url 'https://gdk.test:3443/api/v4/admin/tokens/self?token=<Token from Step 2.>' \
--header 'Authorization: Bearer <Admin Token from Step 1.>' \
--header 'Content-Type: application/json'
TODOs
This is a draft, so a few things need to be done before this is finished:
- Code: test not only PATs, but also DeployTokens and Feed Tokens
- Code: use shared examples for specs
- Decide: Should we add an allowlist or should we always allow all revocable tokens? If we want to support all revocable tokens, we need to make the
::Groups::DeployTokens::RevokeService
Group
-agnostic first. Otherwise, we can disallow this token type and do this later.
Related to #499958
Edited by 🤖 GitLab Bot 🤖