Disable Personal Access Tokens in FIPS mode
What does this MR do and why?
Fixes #351350 (closed)
Describe in detail what your merge request does and why.
This MR disables the use of Personal Access Tokens of all types, including user PATs, group access tokens, project access tokens and impersonation tokens. Existing tokens will still exist in the database but cannot be used. This ensures the enablement/disablement are reversible. In the future we may implement a mechanism to revoke all existing PATs.
A subsequent MR (!98702 (merged)) will block creation of all PAT types.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
This change disabled PAT authentication for all types - personal, group and projects.
How to set up and validate locally
- Enable FIPS mode in your instance. For GDK:
FIPS_MODE=1 gdk restart
- Create a personal access token via user profile -> Access Tokens.
- Attempt to use the token. You will receive access denied.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.