Merge branch 'master' of gitlab_gitlab:gitlab-org/gitlab-cerunner-metrics-extractor

author: Alex Groleau <agroleau@gitlab.com> 2019-08-27 12:41:39 -0400
committer: Alex Groleau <agroleau@gitlab.com> 2019-08-27 12:41:39 -0400
commit: aa01f092829facd1044ad02f334422b7dbdc8b0e (patch)
tree: a754bf2497820432df7da0f2108bb7527a8dd7b8 /lib/gitlab/auth/user_auth_finders.rb
parent: a1d9c9994a9a4d79b824c3fd9322688303ac8b03 (diff)
parent: 6b10779053ff4233c7a64c5ab57754fce63f6710 (diff)
download: gitlab-ce-aa01f092829facd1044ad02f334422b7dbdc8b0e.tar.gz
1 files changed, 14 insertions, 3 deletions
diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb
index a5efe33bdc6..bba7e2cbb3c 100644
--- a/lib/gitlab/auth/user_auth_finders.rb
+++ b/lib/gitlab/auth/user_auth_finders.rb
@@ -90,8 +90,8 @@ module Gitlab
       def find_personal_access_token
         token =
           current_request.params[PRIVATE_TOKEN_PARAM].presence ||
-          current_request.env[PRIVATE_TOKEN_HEADER].presence
-
+          current_request.env[PRIVATE_TOKEN_HEADER].presence ||
+          parsed_oauth_token
         return unless token
 
         # Expiration, revocation and scopes are verified in `validate_access_token!`
@@ -99,9 +99,12 @@ module Gitlab
       end
 
       def find_oauth_access_token
-        token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
+        token = parsed_oauth_token
         return unless token
 
+        # PATs with OAuth headers are not handled by OauthAccessToken
+        return if matches_personal_access_token_length?(token)
+
         # Expiration, revocation and scopes are verified in `validate_access_token!`
         oauth_token = OauthAccessToken.by_token(token)
         raise UnauthorizedError unless oauth_token
@@ -110,6 +113,14 @@ module Gitlab
         oauth_token
       end
 
+      def parsed_oauth_token
+        Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
+      end
+
+      def matches_personal_access_token_length?(token)
+        token.length == PersonalAccessToken::TOKEN_LENGTH
+      end
+
       # Check if the request is GET/HEAD, or if CSRF token is valid.
       def verified_request?
         Gitlab::RequestForgeryProtection.verified?(current_request.env)
author	Alex Groleau <agroleau@gitlab.com>	2019-08-27 12:41:39 -0400
committer	Alex Groleau <agroleau@gitlab.com>	2019-08-27 12:41:39 -0400
commit	aa01f092829facd1044ad02f334422b7dbdc8b0e (patch)
tree	a754bf2497820432df7da0f2108bb7527a8dd7b8 /lib/gitlab/auth/user_auth_finders.rb
parent	a1d9c9994a9a4d79b824c3fd9322688303ac8b03 (diff)
parent	6b10779053ff4233c7a64c5ab57754fce63f6710 (diff)
download	gitlab-ce-aa01f092829facd1044ad02f334422b7dbdc8b0e.tar.gz