gitlab-org--gitlab-foss/app/controllers/concerns/sessionless_authentication.rb

# frozen_string_literal: true

# == SessionlessAuthentication
#
# Controller concern to handle PAT, RSS, and static objects token authentication methods
#
module SessionlessAuthentication
  # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens
  def authenticate_sessionless_user!(request_format)
    user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format)

    sessionless_sign_in(user) if user
  end

  def sessionless_user?
    current_user && !session.key?('warden.user.user.key')
  end

  def sessionless_sign_in(user)
    if user && can?(user, :log_in)
      # Notice we are passing store false, so the user is not
      # actually stored in the session and a token is needed
      # for every request. If you want the token to work as a
      # sign in token, you can simply remove store: false.
      sign_in(user, store: false, message: :sessionless_sign_in)
    end
  end
end
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 19:06:02 +00:00			`# frozen_string_literal: true`

			`# == SessionlessAuthentication`
			`#`
Enable serving static objects from an external storage It consists of two parts: 1. Redirecting users to the configured external storage 1. Allowing the external storage to request the static object(s) on behalf of the user by means of specific tokens Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829 2019-07-22 14:56:40 +00:00			`# Controller concern to handle PAT, RSS, and static objects token authentication methods`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 19:06:02 +00:00			`#`
			`module SessionlessAuthentication`
Enable serving static objects from an external storage It consists of two parts: 1. Redirecting users to the configured external storage 1. Allowing the external storage to request the static object(s) on behalf of the user by means of specific tokens Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829 2019-07-22 14:56:40 +00:00			`# This filter handles personal access tokens, atom requests with rss tokens, and static object tokens`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 19:06:02 +00:00			`def authenticate_sessionless_user!(request_format)`
			`user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format)`

			`sessionless_sign_in(user) if user`
			`end`

			`def sessionless_user?`
Enable Rubocop Performance/InefficientHashSearch When used with a Hash, `.keys.include?` is bad because: 1. It performs a O(n) search instead of the efficient `.has_key?` 2. It clones all keys into separate array. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/64975 2019-07-24 18:11:18 +00:00			`current_user && !session.key?('warden.user.user.key')`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 19:06:02 +00:00			`end`

			`def sessionless_sign_in(user)`
			`if user && can?(user, :log_in)`
			`# Notice we are passing store false, so the user is not`
			`# actually stored in the session and a token is needed`
			`# for every request. If you want the token to work as a`
			`# sign in token, you can simply remove store: false.`
			`sign_in(user, store: false, message: :sessionless_sign_in)`
			`end`
			`end`
			`end`