Removing private token
This commit is contained in:
parent
41ebd06ddc
commit
374179a970
|
@ -45,6 +45,7 @@ module API
|
||||||
include Gitlab::Utils::StrongMemoize
|
include Gitlab::Utils::StrongMemoize
|
||||||
|
|
||||||
def find_current_user!
|
def find_current_user!
|
||||||
|
set_raise_unauthorized_error
|
||||||
user = find_user_from_access_token || find_user_from_warden
|
user = find_user_from_access_token || find_user_from_warden
|
||||||
return unless user
|
return unless user
|
||||||
|
|
||||||
|
@ -74,12 +75,6 @@ module API
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def handle_return_value!(value, &block)
|
|
||||||
raise UnauthorizedError unless value
|
|
||||||
|
|
||||||
block_given? ? yield(value) : value
|
|
||||||
end
|
|
||||||
|
|
||||||
def private_token
|
def private_token
|
||||||
params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence
|
params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence
|
||||||
end
|
end
|
||||||
|
|
|
@ -29,7 +29,9 @@ module Gitlab
|
||||||
private
|
private
|
||||||
|
|
||||||
def handle_return_value!(value, &block)
|
def handle_return_value!(value, &block)
|
||||||
return unless value
|
unless value
|
||||||
|
raise_unauthorized_error? ? raise_unauthorized_error! : return
|
||||||
|
end
|
||||||
|
|
||||||
block_given? ? yield(value) : value
|
block_given? ? yield(value) : value
|
||||||
end
|
end
|
||||||
|
@ -75,6 +77,18 @@ module Gitlab
|
||||||
|
|
||||||
ActionDispatch::Request.new(request.env)
|
ActionDispatch::Request.new(request.env)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def raise_unauthorized_error?
|
||||||
|
defined?(@raise_unauthorized_error) ? @raise_unauthorized_error : false
|
||||||
|
end
|
||||||
|
|
||||||
|
def set_raise_unauthorized_error
|
||||||
|
@raise_unauthorized_error = true
|
||||||
|
end
|
||||||
|
|
||||||
|
def raise_unauthorized_error!
|
||||||
|
raise API::APIGuard::UnauthorizedError
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -189,26 +189,6 @@ describe 'Rack Attack global throttles' do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'API requests authenticated with private token', :api do
|
|
||||||
let(:user) { create(:user) }
|
|
||||||
let(:other_user) { create(:user) }
|
|
||||||
let(:throttle_setting_prefix) { 'throttle_authenticated_api' }
|
|
||||||
|
|
||||||
context 'with the token in the query string' do
|
|
||||||
let(:get_args) { [api(api_partial_url, user)] }
|
|
||||||
let(:other_user_get_args) { [api(api_partial_url, other_user)] }
|
|
||||||
|
|
||||||
it_behaves_like 'rate-limited token-authenticated requests'
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'with the token in the headers' do
|
|
||||||
let(:get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(user)) }
|
|
||||||
let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(other_user)) }
|
|
||||||
|
|
||||||
it_behaves_like 'rate-limited token-authenticated requests'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe 'API requests authenticated with personal access token', :api do
|
describe 'API requests authenticated with personal access token', :api do
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
let(:token) { create(:personal_access_token, user: user) }
|
let(:token) { create(:personal_access_token, user: user) }
|
||||||
|
@ -261,13 +241,6 @@ describe 'Rack Attack global throttles' do
|
||||||
let(:throttle_setting_prefix) { 'throttle_authenticated_web' }
|
let(:throttle_setting_prefix) { 'throttle_authenticated_web' }
|
||||||
|
|
||||||
context 'with the token in the query string' do
|
context 'with the token in the query string' do
|
||||||
context 'with the atom extension' do
|
|
||||||
let(:get_args) { [rss_url(user)] }
|
|
||||||
let(:other_user_get_args) { [rss_url(other_user)] }
|
|
||||||
|
|
||||||
it_behaves_like 'rate-limited token-authenticated requests'
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'with the atom format in the Accept header' do
|
context 'with the atom format in the Accept header' do
|
||||||
let(:get_args) { [rss_url(user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }
|
let(:get_args) { [rss_url(user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }
|
||||||
let(:other_user_get_args) { [rss_url(other_user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }
|
let(:other_user_get_args) { [rss_url(other_user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }
|
||||||
|
|
Loading…
Reference in New Issue