blob: d1f5bf8487368b867caf7b61dc3b68eeb5220128 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
module Gitlab
module Auth
module UserAuthFinders
# Check the Rails session for valid authentication details
def find_session_user
request.env['warden']&.authenticate if verified_request?
end
def find_user_by_private_token
token = private_token
return unless token.present?
user =
find_user_by_authentication_token(token) ||
find_user_by_personal_access_token(token)
raise_unauthorized_error! unless user
user
end
def find_user_by_rss_token
return unless request.path.ends_with?('atom') || request.format.atom?
token = request.params[:rss_token].presence
return unless token.present?
user = User.find_by_rss_token(token)
raise_unauthorized_error! unless user
user
end
def find_user_by_oauth_token
access_token = find_oauth_access_token
return unless access_token
find_user_by_access_token(access_token)
end
private
def private_token
request.params[:private_token].presence ||
request.headers['PRIVATE-TOKEN'].presence
end
def find_user_by_authentication_token(token_string)
User.find_by_authentication_token(token_string)
end
def find_user_by_personal_access_token(token_string)
access_token = PersonalAccessToken.find_by_token(token_string)
return unless access_token
find_user_by_access_token(access_token)
end
def find_oauth_access_token
return @oauth_access_token if defined?(@oauth_access_token)
current_request = ensure_action_dispatch_request(request)
token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
return @oauth_access_token = nil unless token
@oauth_access_token = OauthAccessToken.by_token(token)
raise_unauthorized_error! unless @oauth_access_token
@oauth_access_token.revoke_previous_refresh_token!
@oauth_access_token
end
def find_user_by_access_token(access_token)
access_token&.user
end
# Check if the request is GET/HEAD, or if CSRF token is valid.
def verified_request?
Gitlab::RequestForgeryProtection.verified?(request.env)
end
def ensure_action_dispatch_request(request)
return request if request.is_a?(ActionDispatch::Request)
ActionDispatch::Request.new(request.env)
end
def raise_unauthorized_error!
return nil
end
end
end
end
|