gitlab-org--gitlab-foss/app/controllers/concerns/sessionless_authentication.rb

# frozen_string_literal: true

# == SessionlessAuthentication
#
# Controller concern to handle PAT, RSS, and static objects token authentication methods
#
module SessionlessAuthentication
  # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens
  def authenticate_sessionless_user!(request_format)
    user = request_authenticator.find_sessionless_user(request_format)
    sessionless_sign_in(user) if user
  end

  def request_authenticator
    @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(request)
  end

  def sessionless_user?
    current_user && !session.key?('warden.user.user.key')
  end

  def sessionless_sign_in(user)
    if user && can?(user, :log_in)
      # Notice we are passing store false, so the user is not
      # actually stored in the session and a token is needed
      # for every request. If you want the token to work as a
      # sign in token, you can simply remove store: false.
      sign_in(user, store: false, message: :sessionless_sign_in)
    end
  end

  def sessionless_bypass_admin_mode!(&block)
    return yield unless Gitlab::CurrentSettings.admin_mode

    Gitlab::Auth::CurrentUserMode.bypass_session!(current_user.id, &block)
  end
end
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`# frozen_string_literal: true`

			`# == SessionlessAuthentication`
			`#`
Enable serving static objects from an external storage It consists of two parts: 1. Redirecting users to the configured external storage 1. Allowing the external storage to request the static object(s) on behalf of the user by means of specific tokens Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829 2019-07-22 10:56:40 -04:00			`# Controller concern to handle PAT, RSS, and static objects token authentication methods`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`#`
			`module SessionlessAuthentication`
Enable serving static objects from an external storage It consists of two parts: 1. Redirecting users to the configured external storage 1. Allowing the external storage to request the static object(s) on behalf of the user by means of specific tokens Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829 2019-07-22 10:56:40 -04:00			`# This filter handles personal access tokens, atom requests with rss tokens, and static object tokens`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`def authenticate_sessionless_user!(request_format)`
Add latest changes from gitlab-org/gitlab@master 2021-04-28 11:09:35 -04:00			`user = request_authenticator.find_sessionless_user(request_format)`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`sessionless_sign_in(user) if user`
			`end`

Add latest changes from gitlab-org/gitlab@master 2021-04-28 11:09:35 -04:00			`def request_authenticator`
			`@request_authenticator \|\|= Gitlab::Auth::RequestAuthenticator.new(request)`
			`end`

Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`def sessionless_user?`
Enable Rubocop Performance/InefficientHashSearch When used with a Hash, `.keys.include?` is bad because: 1. It performs a O(n) search instead of the efficient `.has_key?` 2. It clones all keys into separate array. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/64975 2019-07-24 14:11:18 -04:00			`current_user && !session.key?('warden.user.user.key')`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`end`

			`def sessionless_sign_in(user)`
			`if user && can?(user, :log_in)`
			`# Notice we are passing store false, so the user is not`
			`# actually stored in the session and a token is needed`
			`# for every request. If you want the token to work as a`
			`# sign in token, you can simply remove store: false.`
			`sign_in(user, store: false, message: :sessionless_sign_in)`
			`end`
			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-26 08:06:00 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-03-02 07:07:57 -05:00			`def sessionless_bypass_admin_mode!(&block)`
Add latest changes from gitlab-org/gitlab@master 2021-03-17 20:08:58 -04:00			`return yield unless Gitlab::CurrentSettings.admin_mode`
Add latest changes from gitlab-org/gitlab@master 2019-12-11 07:08:10 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-03-02 07:07:57 -05:00			`Gitlab::Auth::CurrentUserMode.bypass_session!(current_user.id, &block)`
Add latest changes from gitlab-org/gitlab@master 2019-09-26 08:06:00 -04:00			`end`
Merge branch 'security-fix-pat-web-access' into 'master' [master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583 2018-11-28 14:06:02 -05:00			`end`