[BUG] Fork Needs to Save GitLab Personal Authentication Tokens

[luxlogica]

GitLab generates a personal authentication token, and displays it ONLY ONCE - to allow you to copy+paste it into the app that needs to use it. GitLab assumes that, for security reasons, the app is going to save the token for future use - and NOT ask the user again, every time it needs to use it.

Right now, however, if I 'log out' of my GitLab account in Fork, and then click on 'login' again, it will ask me for the personal authentication token - again. There is no way for the user to 'view' the old token in GitLab, so the user is forced to delete the old token (which is now useless), and create a new one again. This has to be done every time a user logs out from GitLab with Fork, and needs to login back with Fork - extremely inconvenient, and basically forces GitLab users to use 'basic authentication' instead...

[luong-komorebi]

You are asking to compromise security for convenience. There is a reason Gitlab told you to save your tokens somewhere because it won't be displayed again. And if you say that Fork must be the application to "save" that token, I would have to disagree with you. This is a password-manager's job, not Fork's job. Displaying these tokens make Fork a potential target for attackers.

basically forces GitLab users to use 'basic authentication' instead

I don't know where you get the statistics to prove that, but I am a Gitlab user and I am totally fine with the current way Fork handle tokens.

[DanPristupov]

That's the correct behavior. The personal token must be unique for each session. This allows user to revoke a particular session if the token was compromised.

P.S. Since we are here, currently there's a problem in Fork with GitLab integration, because GitLab had changed their API and I didn't implement the support in time. I'm working on the fix now.

[luxlogica]

Just to be clear: I was never suggesting that Fork should SHOW the saved token. Rather, I was suggesting that - just the same as Tower - it should SAVE it for future reuse (as there are a myriad of ways to save tokens securely, just as luongvo209's password-manager app does).

Right now, the options for the user are:

• manually get a new personal token from GitLab every time we need to login, OR
• save the token in an external app (such as a password-manager), OR
• manually save the token somewhere else for reuse, OR
• just login using Basic Authentication instead.

Once again: note that other apps - like Tower - save the token securely for reuse (and they do NOT display it to the user).