glab auth login workflow changes #14
Description
By profclems,
I opened this issue #233 as a feature request to create better authentication between
glaband GitLab and also, dynamically create access token for users directly using their username and password.
However, GitLab currently does not support creating an access token using the GitLab API. Access tokens can only be created on GitLab's web UI.
There is an issue on this. A merge request was created to resolve this but it was closed in favour of this comment:
It makes sense that this API is restricted to admin users, since it can be used by a malicious third-party application to preserve access even after a revoke:
User gives token PAT-1 to application
Application accesses personal access tokens API to create token PAT-2
User revokes PAT-1
Application can still access the API using PAT-2
GitLab also allows creating impersonation token but this operation is limited to only admins https://docs.gitlab.com/ce/api/users.html#create-an-impersonation-token
For this reason, glab will only allow authentication via personal access tokens. The users are supposed to create the access token with these minimum scopes [api, write_repository]. GitLab docs on the scopes can be found here
glab must validate the token and ensure it has the minimum scopes.
The authentication flow using glab auth login command changes to:
$ glab login
? Which instance do you want to log in? [Use arrows to move, type to filter]
GitLab.com
> GitLab Self Hosted
# if self-hosted is selected, ask for hostname
? Hostname: gitlab.example.com
? Token: xxxxx
- Verifying token ...
✓ Authenticated successfullySuggested Flags
-h, --hostname The hostname of the GitLab instance to authenticate with. Will not be prompted for hosted if specified
-w, --with-token Read token from standard inputReferences:
https://gitlab.com/gitlab-org/gitlab/-/issues/17176
https://gitlab.com/gitlab-org/gitlab/-/issues/17176#note_214950031
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37703
Last updated: 2020-10-25T11:40:23.000Z