2022-06-01 23:08:40 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module API
|
|
|
|
module Internal
|
|
|
|
class Workhorse < ::API::Base
|
|
|
|
feature_category :not_owned # rubocop:todo Gitlab/AvoidFeatureCategoryNotOwned
|
|
|
|
|
|
|
|
before do
|
|
|
|
verify_workhorse_api!
|
|
|
|
content_type Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE
|
|
|
|
end
|
|
|
|
|
2022-06-16 02:08:59 -04:00
|
|
|
helpers do
|
|
|
|
def request_authenticated?
|
|
|
|
authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
|
|
|
|
return true if authenticator.find_authenticated_requester([:api])
|
|
|
|
|
|
|
|
# Look up user from warden, ignoring the absence of a CSRF token. For
|
|
|
|
# web users the CSRF token can be in the POST form data but Workhorse
|
|
|
|
# does not propagate the form data to us.
|
|
|
|
!!request.env['warden']&.authenticate
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-06-01 23:08:40 -04:00
|
|
|
namespace 'internal' do
|
|
|
|
namespace 'workhorse' do
|
|
|
|
post 'authorize_upload' do
|
2022-06-16 02:08:59 -04:00
|
|
|
unauthorized! unless request_authenticated?
|
2022-06-01 23:08:40 -04:00
|
|
|
|
|
|
|
status 200
|
|
|
|
{ TempPath: File.join(::Gitlab.config.uploads.storage_path, 'uploads/tmp') }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|