Resolve "Clarify call to action for expired active tokens" [RUN AS-IF-FOSS]
What does this MR do?
We add some visual clarification around expired personal access tokens:
- Add a clarifying description when revoke on expiration is not enforced.
- Move the
Scopes
column to right after theName
column. - Only use the Primary Danger button for PAT that have expired, and use Secondary Danger button for everything else
Testing & Setup
- Run the following in
rails c
to create the access tokens:
FactoryBot.definition_file_paths = [Rails.root.join('ee', 'spec', 'factories')]
FactoryBot.find_definitions
# Admin user
user = User.find_by_id(1)
# Create tokens
FactoryBot.create(:personal_access_token, user: user, expires_at: 1.days.ago) # Expired token
FactoryBot.create(:personal_access_token, user: user) # Active token
- View the personal access tokens page at
[GDK_HOST]/-/profile/personal_access_tokens
Screenshots (strongly suggested)
Personal access tokens
Message displays when personal access token expiration is not enforced.
Before | After (not enforced) | After (enforced) |
---|---|---|
Project tokens
No visible change.
Before | After |
---|---|
Impersonation tokens
No visible change.
Before | After |
---|---|
Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry. -
I have not included a changelog entry because _____.
-
-
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Related to #222734 (closed)
Edited by Jiaan Louw