Only expose `id` and `name` attributes when serializing deploy token

To improve security. Previously we were exposing `token` and `encrypted_token` attributes. Changelog: security

Only expose `id` and `name` attributes when serializing deploy token
To improve security. Previously we were exposing `token` and `encrypted_token` attributes. Changelog: security
b893d583 · peterhegman · 1c9796da · b893d583 · b893d583 · b893d583
Commit b893d583 authored Feb 24, 2022 by peterhegman
6 changed files
--- a/app/assets/javascripts/deploy_tokens/components/revoke_button.vue
+++ b/app/assets/javascripts/deploy_tokens/components/revoke_button.vue
@@ -17,9 +17,6 @@ export default {
    revokePath: {
      default: '',
    },
-    buttonClass: {
-      default: '',
-    },
  },
  computed: {
    modalId() {
@@ -38,10 +35,9 @@ export default {
  <div>
    <gl-button
      v-gl-modal="modalId"
-      :class="buttonClass"
      category="primary"
      variant="danger"
-      class="float-right"
+      class="gl-float-right"
      data-testid="revoke-button"
      >{{ s__('DeployTokens|Revoke') }}</gl-button
    >

--- a/app/assets/javascripts/deploy_tokens/init_revoke_button.js
+++ b/app/assets/javascripts/deploy_tokens/init_revoke_button.js
@@ -9,14 +9,13 @@ export default () => {
  }

  return containers.forEach((el) => {
-    const { token, revokePath, buttonClass } = el.dataset;
+    const { token, revokePath } = el.dataset;

    return new Vue({
      el,
      provide: {
        token: JSON.parse(token),
        revokePath,
-        buttonClass,
      },
      render(h) {
        return h(RevokeButton);

--- a/app/helpers/deploy_tokens_helper.rb
+++ b/app/helpers/deploy_tokens_helper.rb
@@ -16,4 +16,11 @@ module DeployTokensHelper
    Gitlab.config.packages.enabled &&
      can?(current_user, :read_package, group_or_project)
  end
+
+  def deploy_token_revoke_button_data(token:, group_or_project:)
+    {
+      token: token.to_json(only: [:id, :name]),
+      revoke_path: revoke_deploy_token_path(group_or_project, token)
+    }
+  end
 end
--- a/app/views/shared/deploy_tokens/_table.html.haml
+++ b/app/views/shared/deploy_tokens/_table.html.haml
@@ -25,7 +25,7 @@
                %span.token-never-expires-label= _('Never')
            %td= token.scopes.present? ? token.scopes.join(', ') : _('no scopes selected')
            %td
-              .js-deploy-token-revoke-button{ data: { button_class: 'float-right', token: token.to_json, revoke_path: revoke_deploy_token_path(group_or_project, token) } }
+              .js-deploy-token-revoke-button{ data: deploy_token_revoke_button_data(token: token, group_or_project: group_or_project) }

 - else
  .settings-message.text-center

--- a/spec/frontend/deploy_tokens/components/revoke_button_spec.js
+++ b/spec/frontend/deploy_tokens/components/revoke_button_spec.js
@@ -70,11 +70,6 @@ describe('RevokeButton', () => {
        expect(findRevokeButton().exists()).toBe(true);
      });

-      it('passes the buttonClass to the button', () => {
-        wrapper = createComponent({ buttonClass: 'my-revoke-button' });
-        expect(findRevokeButton().classes()).toContain('my-revoke-button');
-      });
-
      it('opens the modal', () => {
        findRevokeButton().trigger('click');
        expect(glModalDirective).toHaveBeenCalledWith(wrapper.vm.modalId);

--- a/spec/helpers/deploy_tokens_helper_spec.rb
+++ b/spec/helpers/deploy_tokens_helper_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe DeployTokensHelper do
+  describe '#deploy_token_revoke_button_data' do
+    let_it_be(:token) { build(:deploy_token) }
+    let_it_be(:project) { build(:project) }
+    let_it_be(:revoke_deploy_token_path) { '/foobar/baz/-/deploy_tokens/1/revoke' }
+
+    it 'returns expected hash' do
+      expect(helper).to receive(:revoke_deploy_token_path).with(project, token).and_return(revoke_deploy_token_path)
+
+      expect(helper.deploy_token_revoke_button_data(token: token, group_or_project: project)).to match({
+        token: token.to_json(only: [:id, :name]),
+        revoke_path: revoke_deploy_token_path
+      })
+    end
+  end
+end