JwtController avoids activating session checks
This used without a session and issues a sessionless token, so we should avoid causing access checks based on the session.
This commit is contained in:
parent
9f6ff5dca2
commit
e00b07b978
|
@ -1,6 +1,7 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class JwtController < ApplicationController
|
||||
skip_around_action :set_session_storage
|
||||
skip_before_action :authenticate_user!
|
||||
skip_before_action :verify_authenticity_token
|
||||
before_action :authenticate_project_or_user
|
||||
|
|
|
@ -108,6 +108,14 @@ describe JwtController do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not cause session based checks to be activated' do
|
||||
expect(Gitlab::Session).not_to receive(:with_session)
|
||||
|
||||
get '/jwt/auth', params: parameters, headers: headers
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
end
|
||||
end
|
||||
|
||||
context 'using invalid login' do
|
||||
|
|
Loading…
Reference in New Issue