Add prefix to User#static_object_token

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

A static_object_token is generated in User. As defense in depth we should add a static prefix to these, to enable easier detection if an admin / user accidentally leaks the secrets. This is not a vulnerability.

app/models/user.rb:78:3: C: Gitlab/TokenWithoutPrefix: Tokens should be prefixed. See doc/development/secure_coding_guidelines.md#token-prefixes for more information.
  add_authentication_token_field :static_object_token, encrypted: :optional
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Relevant:

https://gitlab.com/gitlab-com/gl-security/product-security/appsec/appsec-team/-/issues/482
Enforce prefixing for new tokens (#439007 - closed)
https://docs.gitlab.com/ee/administration/static_objects_external_storage.html (docs owned by ~"group::ide" )
https://docs.gitlab.com/security/tokens/#token-prefixes

Edited Jul 01, 2025 by Nick Malcolm