Search code examples
gitauthenticationgitlabaccess-token

Identifying a user from their commit using a Personal Access Token in GitLab

How can I identify who pushed to a GitLab repository when a commit was made with a Personal Access Token? I'm interested in auditing the commits done to a shared repo.

When using a token to push to a GitLab repository, the remote origin URL has the following form:

https://user:token@repo/path

I noticed that the user part is irrelevant; the token is accepted regardless.

I'm not particularly fussy about the use of personal access token - what other alternatives are there to authenticate users, without using their GitLab password?

My scenario involves a web UI to commit to a GitLab repository; being on a different system, I'd rather not demand the users trust the web UI with their GitLab password. OAuth seems overkill for this, but if it's the only option so be it.

Solution

  • I've solved this problem by using the GitLab API to validate the username.

    In this specific instance, I've configured the web UI to get the username from the access token using the GitLab API and then use it as part of the commit message.

    Final result:

    enter image description here

    Python code:

    import gitlab

gl = gitlab.Gitlab('https://host', private_token=token)
gl.auth()
gl.user.attributes.get('username')