Moved 2FA check to auth.rb and cleaned up the flow authenticate_user

2016-08-15 15:47:29 -05:00 · 2016-08-15 15:47:29 -05:00 · 5f5d8a8e09
commit 5f5d8a8e09
parent f971026ad3
2 changed files with 16 additions and 10 deletions
--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@ -27,9 +27,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
        @ci = true
      elsif auth_result.type == :oauth && !download_request?
        # Not allowed
+      elsif auth_result.type == :missing_personal_token
+        render_missing_personal_token
+        return # Render above denied access, nothing left to do
      else
        @user = auth_result.user
-        check_2fa(auth_result.type)
      end

      if ci? || user
@ -92,13 +94,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
    [nil, nil]
  end

-  def check_2fa(auth_type)
-    if user && user.two_factor_enabled? && auth_type == :gitlab_or_ldap
-      render plain: "HTTP Basic: Access denied\n"\
-                      "You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\
-                      "You can generate one at #{profile_personal_access_tokens_url}",
-             status: 401
-    end
+  def render_missing_personal_token
+    render plain: "HTTP Basic: Access denied\n"\
+                  "You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\
+                  "You can generate one at #{profile_personal_access_tokens_url}",
+           status: 401
  end

  def repository
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@ -11,14 +11,20 @@ module Gitlab
        if valid_ci_request?(login, password, project)
          result.type = :ci
        elsif result.user = find_with_user_password(login, password)
-          result.type = :gitlab_or_ldap
+          if result.user.two_factor_enabled?
+            result.user = nil
+            result.type = :missing_personal_token
+          else
+            result.type = :gitlab_or_ldap
+          end
        elsif result.user = oauth_access_token_check(login, password)
          result.type = :oauth
        elsif result.user = personal_access_token_check(login, password)
          result.type = :personal_token
        end

-        rate_limit!(ip, success: !!result.user || (result.type == :ci), login: login)
+        success = result.user.present? || [:ci, :missing_personal_token].include?(result.type)
+        rate_limit!(ip, success: success, login: login)
        result
      end