[$250] Prod - Gitlab tokens expiring in 24 hours

[jmgasper]

We're seeing this happen in prod, but only recently. The Gitlab tokens assigned to a copilot are only lasting about 24 hours (or less). I'm having to go in and renew my token every day. I'm wondering if Gitlab changed something related to token expiration that we need to investigate.

[jmgasper]

Challenge https://www.topcoder.com/challenges/2740929e-85b2-4e20-bc4f-dab25eab5464 has been created for this ticket.

This is an automated message for ghostar via Topcoder X

[jmgasper]

@afrisalyp - Any interest in this one?

[gets0ul]

GitLab changed how they treat OAuth access tokens that don't expire.
OAuth tokens without an expiration is no longer supported https://docs.gitlab.com/ee/integration/oauth_provider.html#expiring-access-tokens.

Now, access tokens expire in two hours https://docs.gitlab.com/ee/update/deprecations.html#oauth-tokens-without-expiration.

[jmgasper]

@gets0ul - Ok, interesting. Can we update the processor to renew them when necessary?

[jmgasper]

Challenge https://www.topcoder.com/challenges/2740929e-85b2-4e20-bc4f-dab25eab5464 has been assigned to gets0ul.

This is an automated message for ghostar via Topcoder X

[gets0ul]

To be able to renew the access token in processor, we need to add the gitlab client id and secret in the topcoder-x-processor itself, is that fine?

[jmgasper]

Yes, we'll just make that configurable

[52cs]

To be able to renew the access token in processor, we need to add the gitlab client id and secret in the topcoder-x-processor itself, is that fine?

@gets0ul @jmgasper
An alternative way is to reuse the renew and revoke logic in src/front/src/app/settings/settings.html which calls the api in the topcoder-x-ui server.
You can reuse the logic in the topcoder-x-ui server instead of rewrite in topcoder-x-process.
This way, just a wrapper is needed to write.
Use setTimeout to renew the access_token by the refresh_token before it expired.

By using this way, it seems that no need to notify the copilot to renew the access_token with email notification. #444

[jmgasper]

@52cs - Thanks for that - that would also work. I would still like to have the email notification, as a backup.

[gets0ul]

@jmgasper so for this expired gitlab token situation, how do you want it to be done?
After every 2 hours, the token expired, email is sent to notify (done in #444),
and user go to topcoder-x-ui to refresh the token. Is that right?

[52cs]

@gets0ul You could make it refresh at 1 hours 50 min with refresh_token automatically.

[gets0ul]

@52cs Yeah, that's why I want to confirm if we want the user to manually refresh the token by clicking button in setting or automatically.

[52cs]

@gets0ul But the logic is different.
The user need be informed, interact with frontend and be redirect to login page to refresh token.
But the backend will enumerate the User table in the database, query every user in it, one by one, and refresh with the refresh_token stored in its row, query, update, periodically.

I think we must implement the automatic logic. 2 hours is to short. copilot will be informed and click the button every 2 hour.
I believe automatic refresh token is what Gitlab recommanded.
Anyway, you may change the setting of the default 2 hours to make it longer.

Last, the revoke functionality must be preserved and maintained correspondingly.
When the copilot want to logout, he can revoke his token, and his token will not be refreshed automatically afterward.

[jmgasper]

@gets0ul - Ideally, the token refresh would happen automatically - we don't want to make the copilots go to the site every 2 hours. If the token refresh fails, for some reason, then we can send out the notification email, as a backup.

[jmgasper]

Payment task has been updated: https://www.topcoder.com/challenges/2740929e-85b2-4e20-bc4f-dab25eab5464
Payments Complete
Winner: gets0ul
Challenge 2740929e-85b2-4e20-bc4f-dab25eab5464 has been paid and closed.

This is an automated message for ghostar via Topcoder X