Hi everyone,
I’m using an on-prem GitLab 15.10.4, somewhat recently upgraded from 14.x and am not only storing source code in projects, but have lots of additional individual projects storing deployments of my product for customers as well. Those deployments contain mostly binary files like EXEs, DLLs, JARs and especially customized configs, templates etc. Some of the projects have special access tokens configured to give the customers themself read-only access to download their deployment using a web browser or some Git client and specially crafted URLs like in the following examples:
- https://_token_customer_reader:PASSWD@SERVER/ORG/bin/releases/CUSTOMER-1.git
- https://SERVER/api/v4/projects/138/repository/archive.zip?private_token=PASSWD&sha=prod
I needed to create additional access tokens right now, created a new Git-URL based on the copy of an existing one, replaced the password of the access token, but by accident forgot to change the name of the Git repo in the URL as well. Though, cloning the repo succeeded, while I would have expected it to fail, because the access token wasn’t configured for the repo in the URL. I’ve tested multiple other configurations and ANY created access token seems to provide read-only access to ALL repos in GitLab, regardless if they have access tokens configured at all. OTOH, if the token in the URL is wrong, e.g. because I changed the last character or added some random character or alike, the access to repos is forbidden as expected:
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password.
Is that behaviour by design?
I would have expected wrong access tokens for wrong projects result in denied access, like for overall wrong access tokens because if changed characters. Of course I don’t want customers to see all other projects only because they get one access token, which should be restricted to one project. I’m additionally somewhat sure I have tested this months before in the old GitLab when introducing this approach and things worked as expected. I mean, the name is “project access token”, the docs regularly mention phrases like project scope and stuff.
Might there be some mis-configuration, possibly because of the update?
I didn’t to that myself, maybe some system wide settings have been reset or whatever.
Or am I simply misunderstanding how those tokens work?
Thanks for your help!