Skip to content

Add prefix to deploy tokens

Much like Personal Access Tokens with the glpat- prefix, adding a prefix to deploy tokens would make it easier for secret detection and incident response to be effective.

Proposal

Use the gldeploy- prefix for new deploy tokens.

This requires a prefix in the DeployToken model, then including that prefix when setting up the authenticated token through add_authentication_token_field.

Current add_authentication_token_field in DeployToken:

add_authentication_token_field :token, encrypted: :required }

Proposed change (notice the new format_with_prefix argument):

TOKEN_PREFIX = "gldeploy-"

add_authentication_token_field :token, encrypted: :required }, format_with_prefix: :gldeploy_token_prefix

# the prefix has to be wrapped in an instance method because the token formatter expects a method
def gldeploy_token_prefix
  TOKEN_PREFIX
end

A note on the DeployToken spec (spec/models/deploy_token.rb)

There is a problem with the factory used to create the Deploy Token in that, if you simply call create(:deploy_token), it will not use the TokenAuthenticatable concern to generate the token. The best way to test the DeployToken's token will be to build a DeployToken instance then save it, as that will generate a token through the TokenAuthenticatable concern, ie:

  describe '#token'
    it 'has a prefix' do
      deploy_token = build(:deploy_token, token_encrypted: nil)
      deploy_token.save!

      expect(deploy_token.token).to include "gldeploy-"
    end
  end
Edited by Pam Artiaga