1 files changed, 24 insertions, 16 deletions

diff --git a/lib/api/internal/base.rb b/lib/api/internal/base.rb
index 6d8f13c36e6..61ef1d5bde0 100644
--- a/lib/api/internal/base.rb
+++ b/lib/api/internal/base.rb
@@ -7,10 +7,16 @@ module API
       before { authenticate_by_gitlab_shell_token! }
 
       before do
+        api_endpoint = env['api.endpoint']
+        feature_category = api_endpoint.options[:for].try(:feature_category_for_app, api_endpoint).to_s
+
+        header[Gitlab::Metrics::RequestsRackMiddleware::FEATURE_CATEGORY_HEADER] = feature_category
+
         Gitlab::ApplicationContext.push(
           user: -> { actor&.user },
           project: -> { project },
-          caller_id: route.origin
+          caller_id: route.origin,
+          feature_category: feature_category
         )
       end
 
@@ -28,10 +34,10 @@ module API
           { status: success, message: message }.merge(extra_options).compact
         end
 
-        def lfs_authentication_url(project)
+        def lfs_authentication_url(container)
           # This is a separate method so that EE can alter its behaviour more
           # easily.
-          project.http_url_to_repo
+          container.lfs_http_url_to_repo
         end
 
         def check_allowed(params)
@@ -122,13 +128,15 @@ module API
         #   changes - changes as "oldrev newrev ref", see Gitlab::ChangesList
         #   check_ip - optional, only in EE version, may limit access to
         #     group resources based on its IP restrictions
-        post "/allowed" do
+        post "/allowed", feature_category: :source_code_management do
           # It was moved to a separate method so that EE can alter its behaviour more
           # easily.
           check_allowed(params)
         end
 
-        post "/lfs_authenticate" do
+        post "/lfs_authenticate", feature_category: :source_code_management do
+          not_found! unless container&.lfs_enabled?
+
           status 200
 
           unless actor.key_or_user
@@ -139,14 +147,14 @@ module API
 
           Gitlab::LfsToken
             .new(actor.key_or_user)
-            .authentication_payload(lfs_authentication_url(project))
+            .authentication_payload(lfs_authentication_url(container))
         end
 
         #
         # Get a ssh key using the fingerprint
         #
         # rubocop: disable CodeReuse/ActiveRecord
-        get '/authorized_keys' do
+        get '/authorized_keys', feature_category: :source_code_management do
           fingerprint = params.fetch(:fingerprint) do
             Gitlab::InsecureKeyFingerprint.new(params.fetch(:key)).fingerprint
           end
@@ -159,11 +167,11 @@ module API
         #
         # Discover user by ssh key, user id or username
         #
-        get '/discover' do
+        get '/discover', feature_category: :authentication_and_authorization do
           present actor.user, with: Entities::UserSafe
         end
 
-        get '/check' do
+        get '/check', feature_category: :not_owned do
           {
             api_version: API.version,
             gitlab_version: Gitlab::VERSION,
@@ -172,7 +180,7 @@ module API
           }
         end
 
-        post '/two_factor_recovery_codes' do
+        post '/two_factor_recovery_codes', feature_category: :authentication_and_authorization do
           status 200
 
           actor.update_last_used_at!
@@ -201,7 +209,7 @@ module API
           { success: true, recovery_codes: codes }
         end
 
-        post '/personal_access_token' do
+        post '/personal_access_token', feature_category: :authentication_and_authorization do
           status 200
 
           actor.update_last_used_at!
@@ -239,7 +247,7 @@ module API
           end
 
           result = ::PersonalAccessTokens::CreateService.new(
-            user, name: params[:name], scopes: params[:scopes], expires_at: expires_at
+            current_user: user, target_user: user, params: { name: params[:name], scopes: params[:scopes], expires_at: expires_at }
           ).execute
 
           unless result.status == :success
@@ -251,7 +259,7 @@ module API
           { success: true, token: access_token.token, scopes: access_token.scopes, expires_at: access_token.expires_at }
         end
 
-        post '/pre_receive' do
+        post '/pre_receive', feature_category: :source_code_management do
           status 200
 
           reference_counter_increased = Gitlab::ReferenceCounter.new(params[:gl_repository]).increase
@@ -259,7 +267,7 @@ module API
           { reference_counter_increased: reference_counter_increased }
         end
 
-        post '/post_receive' do
+        post '/post_receive', feature_category: :source_code_management do
           status 200
 
           response = PostReceiveService.new(actor.user, repository, project, params).execute
@@ -267,7 +275,7 @@ module API
           present response, with: Entities::InternalPostReceive::Response
         end
 
-        post '/two_factor_config' do
+        post '/two_factor_config', feature_category: :authentication_and_authorization do
           status 200
 
           break { success: false } unless Feature.enabled?(:two_factor_for_cli)
@@ -289,7 +297,7 @@ module API
           end
         end
 
-        post '/two_factor_otp_check' do
+        post '/two_factor_otp_check', feature_category: :authentication_and_authorization do
           status 200
 
           break { success: false } unless Feature.enabled?(:two_factor_for_cli)