From 374179a97042da3a4d5312afcdb0dc90a44634f0 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Wed, 8 Nov 2017 10:13:22 +0100 Subject: Removing private token --- lib/api/api_guard.rb | 7 +------ lib/gitlab/auth/user_auth_finders.rb | 16 +++++++++++++++- spec/requests/rack_attack_global_spec.rb | 27 --------------------------- 3 files changed, 16 insertions(+), 34 deletions(-) diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 9ada2d5ebb1..9c68830ae34 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -45,6 +45,7 @@ module API include Gitlab::Utils::StrongMemoize def find_current_user! + set_raise_unauthorized_error user = find_user_from_access_token || find_user_from_warden return unless user @@ -74,12 +75,6 @@ module API private - def handle_return_value!(value, &block) - raise UnauthorizedError unless value - - block_given? ? yield(value) : value - end - def private_token params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence end diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb index 93f3cae0a95..86f1c13d4b8 100644 --- a/lib/gitlab/auth/user_auth_finders.rb +++ b/lib/gitlab/auth/user_auth_finders.rb @@ -29,7 +29,9 @@ module Gitlab private def handle_return_value!(value, &block) - return unless value + unless value + raise_unauthorized_error? ? raise_unauthorized_error! : return + end block_given? ? yield(value) : value end @@ -75,6 +77,18 @@ module Gitlab ActionDispatch::Request.new(request.env) end + + def raise_unauthorized_error? + defined?(@raise_unauthorized_error) ? @raise_unauthorized_error : false + end + + def set_raise_unauthorized_error + @raise_unauthorized_error = true + end + + def raise_unauthorized_error! + raise API::APIGuard::UnauthorizedError + end end end end diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index 9a0513d66a7..9cda4bcf966 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -189,26 +189,6 @@ describe 'Rack Attack global throttles' do end end - describe 'API requests authenticated with private token', :api do - let(:user) { create(:user) } - let(:other_user) { create(:user) } - let(:throttle_setting_prefix) { 'throttle_authenticated_api' } - - context 'with the token in the query string' do - let(:get_args) { [api(api_partial_url, user)] } - let(:other_user_get_args) { [api(api_partial_url, other_user)] } - - it_behaves_like 'rate-limited token-authenticated requests' - end - - context 'with the token in the headers' do - let(:get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(user)) } - let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(other_user)) } - - it_behaves_like 'rate-limited token-authenticated requests' - end - end - describe 'API requests authenticated with personal access token', :api do let(:user) { create(:user) } let(:token) { create(:personal_access_token, user: user) } @@ -261,13 +241,6 @@ describe 'Rack Attack global throttles' do let(:throttle_setting_prefix) { 'throttle_authenticated_web' } context 'with the token in the query string' do - context 'with the atom extension' do - let(:get_args) { [rss_url(user)] } - let(:other_user_get_args) { [rss_url(other_user)] } - - it_behaves_like 'rate-limited token-authenticated requests' - end - context 'with the atom format in the Accept header' do let(:get_args) { [rss_url(user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] } let(:other_user_get_args) { [rss_url(other_user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] } -- cgit v1.2.1