4 files changed, 22 insertions, 6 deletions

diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index 416e36c7ccb..0796f23fbfe 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -89,9 +89,11 @@ module Gitlab
         job.user
       end
 
-      # We only allow Private Access Tokens with `api` scope to be used by web
+      # We allow Private Access Tokens with `api` scope to be used by web
       # requests on RSS feeds or ICS files for backwards compatibility.
       # It is also used by GraphQL/API requests.
+      # And to allow accessing /archive programatically as it was a big pain point
+      # for users https://gitlab.com/gitlab-org/gitlab/-/issues/28978.
       def find_user_from_web_access_token(request_format, scopes: [:api])
         return unless access_token && valid_web_access_format?(request_format)
 
@@ -269,6 +271,8 @@ module Gitlab
           ics_request?
         when :api
           api_request?
+        when :archive
+          archive_request? if Feature.enabled?(:allow_archive_as_web_access_format, default_enabled: :yaml)
         end
       end
 
diff --git a/lib/gitlab/auth/ldap/adapter.rb b/lib/gitlab/auth/ldap/adapter.rb
index 3853709698b..47eca74aa5b 100644
--- a/lib/gitlab/auth/ldap/adapter.rb
+++ b/lib/gitlab/auth/ldap/adapter.rb
@@ -53,11 +53,7 @@ module Gitlab
 
             if results.nil?
               response = ldap.get_operation_result
-
-              unless response.code == 0
-                Gitlab::AppLogger.warn("LDAP search error: #{response.message}")
-              end
-
+              check_empty_response_code(response)
               []
             else
               results
@@ -136,6 +132,16 @@ module Gitlab
         def renew_connection_adapter
           @ldap = Net::LDAP.new(config.adapter_options)
         end
+
+        def check_empty_response_code(response)
+          if config.retry_empty_result_with_codes.include?(response.code)
+            raise Net::LDAP::Error, "Got empty results with response code: #{response.code}, message: #{response.message}"
+          end
+
+          unless response.code == 0
+            Gitlab::AppLogger.warn("LDAP search error: #{response.message}")
+          end
+        end
       end
     end
   end
diff --git a/lib/gitlab/auth/ldap/config.rb b/lib/gitlab/auth/ldap/config.rb
index 441f0d14b39..7bfe776fed0 100644
--- a/lib/gitlab/auth/ldap/config.rb
+++ b/lib/gitlab/auth/ldap/config.rb
@@ -163,6 +163,10 @@ module Gitlab
           options['timeout'].to_i
         end
 
+        def retry_empty_result_with_codes
+          options.fetch('retry_empty_result_with_codes', [])
+        end
+
         def external_groups
           options['external_groups'] || []
         end
diff --git a/lib/gitlab/auth/u2f_webauthn_converter.rb b/lib/gitlab/auth/u2f_webauthn_converter.rb
index f85b2248aeb..20b5d2ddc88 100644
--- a/lib/gitlab/auth/u2f_webauthn_converter.rb
+++ b/lib/gitlab/auth/u2f_webauthn_converter.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'webauthn/u2f_migrator'
+
 module Gitlab
   module Auth
     class U2fWebauthnConverter