Personal Access Token (PAT) Last Used IP Address Information

Hello 👋

Context:

Personal Access Tokens are easy to leak accidentally, either by the user themselves, by a CI job, in source code, or even a trusted third party. As a user it is impossible to determine if another actor (e.g. a malicious party who discovered a leaked PAT) has used their PAT.

Proposal:

MVP: Allow end users to see an IP address within the LastUsed section of a PAT. This will allow them to identify any unusual systems authenticating with their PAT.
MVP+
- Show the "Last 7 days" of de-duplicated IP addresses & their connections.
- Include other metadata such as user agent, this ensures that no log entry would be overwritten by simultaneous requests from the two users.

Not in this proposal

Full audit log of API actions for a given PAT (e.g. in https://gitlab.com/-/profile/audit_log)
IP tracking on other tokens (Group Access Tokens, Project Access Tokens, etc)

Current View:

Proposed View:

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Jul 28, 2024 by Adil Farrukh