Make sure API responds with 401 when invalid authentication info is provideddm-api-unauthorized

2 files changed, 38 insertions, 16 deletions

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index c4c0fdda665..e79f988f549 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -75,7 +75,7 @@ module API
           raise RevokedError
 
         when AccessTokenValidationService::VALID
-          @current_user = User.find(access_token.resource_owner_id)
+          User.find(access_token.resource_owner_id)
         end
       end
 
@@ -84,11 +84,13 @@ module API
 
         return nil unless token_string.present?
 
-        find_user_by_authentication_token(token_string) || find_user_by_personal_access_token(token_string, scopes)
-      end
+        user =
+          find_user_by_authentication_token(token_string) ||
+          find_user_by_personal_access_token(token_string, scopes)
+
+        raise UnauthorizedError unless user
 
-      def current_user
-        @current_user
+        user
       end
 
       private
@@ -107,7 +109,16 @@ module API
       end
 
       def find_access_token
-        @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)
+        return @access_token if defined?(@access_token)
+
+        token = Doorkeeper::OAuth::Token.from_request(doorkeeper_request, *Doorkeeper.configuration.access_token_methods)
+        return @access_token = nil unless token
+
+        @access_token = Doorkeeper::AccessToken.by_token(token)
+        raise UnauthorizedError unless @access_token
+
+        @access_token.revoke_previous_refresh_token!
+        @access_token
       end
 
       def doorkeeper_request
@@ -169,6 +180,7 @@ module API
     TokenNotFoundError = Class.new(StandardError)
     ExpiredError = Class.new(StandardError)
     RevokedError = Class.new(StandardError)
+    UnauthorizedError = Class.new(StandardError)
 
     class InsufficientScopeError < StandardError
       attr_reader :scopes
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 00dbc2aee7a..1e8475ba3ec 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -3,6 +3,8 @@ module API
     include Gitlab::Utils
     include Helpers::Pagination
 
+    UnauthorizedError = Class.new(StandardError)
+
     SUDO_HEADER = "HTTP_SUDO".freeze
     SUDO_PARAM = :sudo
 
@@ -139,7 +141,7 @@ module API
     end
 
     def authenticate!
-      unauthorized! unless current_user && can?(initial_current_user, :access_api)
+      unauthorized! unless current_user
     end
 
     def authenticate_non_get!
@@ -397,19 +399,27 @@ module API
 
     def initial_current_user
       return @initial_current_user if defined?(@initial_current_user)
-      Gitlab::Auth::UniqueIpsLimiter.limit_user! do
-        @initial_current_user ||= find_user_by_private_token(scopes: scopes_registered_for_endpoint)
-        @initial_current_user ||= doorkeeper_guard(scopes: scopes_registered_for_endpoint)
-        @initial_current_user ||= find_user_from_warden
-
-        unless @initial_current_user && Gitlab::UserAccess.new(@initial_current_user).allowed?
-          @initial_current_user = nil
-        end
 
-        @initial_current_user
+      begin
+        @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user }
+      rescue APIGuard::UnauthorizedError, UnauthorizedError
+        unauthorized!
       end
     end
 
+    def find_current_user
+      user =
+        find_user_by_private_token(scopes: scopes_registered_for_endpoint) ||
+        doorkeeper_guard(scopes: scopes_registered_for_endpoint) ||
+        find_user_from_warden
+
+      return nil unless user
+
+      raise UnauthorizedError unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)
+
+      user
+    end
+
     def sudo!
       return unless sudo_identifier
       return unless initial_current_user