Authenticate the internal API using a header

Instead of mixing in the shared secret into the querystring or body, we could also specify it in a header.
author: Bob Van Landuyt <bob@vanlanduyt.co> 2019-03-08 14:57:01 +0100
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2019-03-11 16:46:04 +0100
commit: b0fac091eca5d08c00a57f4b0bed0650cc9522fd (patch)
tree: 2e5165288fc9b5ebb296860dd714343c385b24d9 /lib/api/helpers.rb
parent: 8a59c9fdba4572cdfd60be6630d96fd37dc35654 (diff)
download: gitlab-ce-b0fac091eca5d08c00a57f4b0bed0650cc9522fd.tar.gz
1 files changed, 7 insertions, 4 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 825fab62034..b8bd180bdc1 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -6,6 +6,7 @@ module API
     include Helpers::Pagination
 
     SUDO_HEADER = "HTTP_SUDO".freeze
+    GITLAB_SHARED_SECRET_HEADER = "Gitlab-Shared-Secret".freeze
     SUDO_PARAM = :sudo
     API_USER_ENV = 'gitlab.api.user'.freeze
 
@@ -212,10 +213,12 @@ module API
     end
 
     def authenticate_by_gitlab_shell_token!
-      input = params['secret_token'].try(:chomp)
-      unless Devise.secure_compare(secret_token, input)
-        unauthorized!
-      end
+      input = params['secret_token']
+      input ||= Base64.decode64(headers[GITLAB_SHARED_SECRET_HEADER]) if headers.key?(GITLAB_SHARED_SECRET_HEADER)
+
+      input&.chomp!
+
+      unauthorized! unless Devise.secure_compare(secret_token, input)
     end
 
     def authenticated_with_full_private_access!
author	Bob Van Landuyt <bob@vanlanduyt.co>	2019-03-08 14:57:01 +0100
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2019-03-11 16:46:04 +0100
commit	b0fac091eca5d08c00a57f4b0bed0650cc9522fd (patch)
tree	2e5165288fc9b5ebb296860dd714343c385b24d9 /lib/api/helpers.rb
parent	8a59c9fdba4572cdfd60be6630d96fd37dc35654 (diff)
download	gitlab-ce-b0fac091eca5d08c00a57f4b0bed0650cc9522fd.tar.gz