2 files changed, 26 insertions, 2 deletions

diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb
index 4304b8565ce..ba06384a37a 100644
--- a/app/controllers/concerns/sessionless_authentication.rb
+++ b/app/controllers/concerns/sessionless_authentication.rb
@@ -2,10 +2,10 @@
 
 # == SessionlessAuthentication
 #
-# Controller concern to handle PAT and RSS token authentication methods
+# Controller concern to handle PAT, RSS, and static objects token authentication methods
 #
 module SessionlessAuthentication
-  # This filter handles personal access tokens, and atom requests with rss tokens
+  # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens
   def authenticate_sessionless_user!(request_format)
     user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format)
 
diff --git a/app/controllers/concerns/static_object_external_storage.rb b/app/controllers/concerns/static_object_external_storage.rb
new file mode 100644
index 00000000000..dbfe0ed3adf
--- /dev/null
+++ b/app/controllers/concerns/static_object_external_storage.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module StaticObjectExternalStorage
+  extend ActiveSupport::Concern
+
+  included do
+    include ApplicationHelper
+  end
+
+  def redirect_to_external_storage
+    return if external_storage_request?
+
+    redirect_to external_storage_url_or_path(request.fullpath, project)
+  end
+
+  def external_storage_request?
+    header_token = request.headers['X-Gitlab-External-Storage-Token']
+    return false unless header_token.present?
+
+    external_storage_token = Gitlab::CurrentSettings.static_objects_external_storage_auth_token
+    ActiveSupport::SecurityUtils.secure_compare(header_token, external_storage_token) ||
+      raise(Gitlab::Access::AccessDeniedError)
+  end
+end