diff options
author | Timothy Andrew <mail@timothyandrew.net> | 2016-06-01 14:04:38 +0530 |
---|---|---|
committer | Timothy Andrew <mail@timothyandrew.net> | 2016-06-01 14:04:38 +0530 |
commit | 05b319b0b45288cbbe0bce15bf7bed7f58f6cf76 (patch) | |
tree | abea49be1164cc3401827dedc9b06bc6c0f1fcc4 /app/controllers/application_controller.rb | |
parent | 70add1388f514b353d92d2e6a1db0dc173290946 (diff) | |
download | gitlab-ce-05b319b0b45288cbbe0bce15bf7bed7f58f6cf76.tar.gz |
Perform private token and personal access token authentication in the same `before_action`.
- So that the check for valid personal access tokens happens only if
private token auth fails.
Diffstat (limited to 'app/controllers/application_controller.rb')
-rw-r--r-- | app/controllers/application_controller.rb | 38 |
1 files changed, 16 insertions, 22 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b26afb42e74..9dbaba00ff5 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -7,8 +7,7 @@ class ApplicationController < ActionController::Base include GitlabRoutingHelper include PageLayoutHelper - before_action :authenticate_user_from_private_token! - before_action :authenticate_user_from_personal_access_token! + before_action :authenticate_user_from_token! before_action :authenticate_user! before_action :validate_user_service_ticket! before_action :reject_blocked! @@ -64,26 +63,8 @@ class ApplicationController < ActionController::Base end end - # From https://github.com/plataformatec/devise/wiki/How-To:-Simple-Token-Authentication-Example - # https://gist.github.com/josevalim/fb706b1e933ef01e4fb6 - def authenticate_user_from_private_token! - user_token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence - user = user_token && User.find_by_authentication_token(user_token.to_s) - - if user - # Notice we are passing store false, so the user is not - # actually stored in the session and a token is needed - # for every request. If you want the token to work as a - # sign in token, you can simply remove store: false. - sign_in user, store: false - end - end - - def authenticate_user_from_personal_access_token! - token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence - personal_access_token = PersonalAccessToken.active.find_by_token(token_string) - user = personal_access_token && personal_access_token.user - + def authenticate_user_from_token! + user = get_user_from_private_token || get_user_from_personal_access_token if user # Notice we are passing store false, so the user is not # actually stored in the session and a token is needed @@ -383,4 +364,17 @@ class ApplicationController < ActionController::Base (controller_name == 'groups' && action_name == page_type) || (controller_name == 'dashboard' && action_name == page_type) end + + # From https://github.com/plataformatec/devise/wiki/How-To:-Simple-Token-Authentication-Example + # https://gist.github.com/josevalim/fb706b1e933ef01e4fb6 + def get_user_from_private_token + user_token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence + User.find_by_authentication_token(user_token.to_s) if user_token + end + + def get_user_from_personal_access_token + token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence + personal_access_token = PersonalAccessToken.active.find_by_token(token_string) + personal_access_token.user if personal_access_token + end end |