Skip to content

Draft: Admin Token API: Revoke token

Nicholas Wittstruck requested to merge gitlab-community/gitlab:499958-nwittstruck-admin-token-api-revoke into master
  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.

What does this MR do and why?

This commit adds an admin API for token revocation.

Adds a REST API that allows the following:

DELETE /api/v4/admin/token

Attribute Type Required Description
token string Yes Token that should be revoked.

Issue: #499958

🛠 with at Siemens

MR acceptance checklist

MR Checklist ( @nwittstruck)

How to set up and validate locally

  1. Enable feature flag via rails c:
Feature.enable(:admin_agnostic_token_finder)

  1. You'll need to create two new personal access tokens: https://gdk.test:3443/-/user_settings/personal_access_tokens

    1. A personal access token with admin capabilities.
    2. A personal access token with limited capabilities that you want to revoke. You can also revoke the admin token if you'd like, however for testing I prefer to use separate tokens.

  2. Now you can revoke a token:

curl -k --request DELETE \
--url 'https://gdk.test:3443/api/v4/admin/tokens/self?token=<Token from Step 2.>' \       
--header 'Authorization: Bearer <Admin Token from Step 1.>' \
--header 'Content-Type: application/json'

TODOs

This is a draft, so a few things need to be done before this is finished:

  • Code: test not only PATs, but also DeployTokens and Feed Tokens
  • Code: use shared examples for specs
  • Decide: Should we add an allowlist or should we always allow all revocable tokens? If we want to support all revocable tokens, we need to make the ::Groups::DeployTokens::RevokeService Group-agnostic first. Otherwise, we can disallow this token type and do this later.

Related to #499958

Edited by 🤖 GitLab Bot 🤖

Merge request reports