blob: 0b4ea3aaf5ff1ec30c439f038d936be5e036e4aa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
module Gitlab
module Auth
module UserAuthFinders
PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'.freeze
PRIVATE_TOKEN_PARAM = :private_token
# Check the Rails session for valid authentication details
def find_user_from_warden
current_request.env['warden']&.authenticate if verified_request?
end
def find_user_from_rss_token
return unless current_request.format.atom?
token = current_request.params[:rss_token].presence
return unless token
User.find_by_rss_token(token) || raise(API::APIGuard::UnauthorizedError)
end
def find_user_from_access_token
return unless access_token
validate_access_token!
access_token.user || raise(API::APIGuard::UnauthorizedError)
end
def validate_access_token!(scopes: [])
return unless access_token
case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)
when AccessTokenValidationService::INSUFFICIENT_SCOPE
raise API::APIGuard::InsufficientScopeError.new(scopes)
when AccessTokenValidationService::EXPIRED
raise API::APIGuard::ExpiredError
when AccessTokenValidationService::REVOKED
raise API::APIGuard::RevokedError
end
end
private
def access_token
return @access_token if defined?(@access_token)
@access_token = find_oauth_access_token || find_personal_access_token
end
def find_personal_access_token
token =
current_request.params[PRIVATE_TOKEN_PARAM].presence ||
current_request.env[PRIVATE_TOKEN_HEADER].presence
return unless token
# Expiration, revocation and scopes are verified in `validate_access_token!`
PersonalAccessToken.find_by(token: token) || raise(API::APIGuard::UnauthorizedError)
end
def find_oauth_access_token
token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
return unless token
# Expiration, revocation and scopes are verified in `validate_access_token!`
oauth_token = OauthAccessToken.by_token(token)
raise API::APIGuard::UnauthorizedError unless oauth_token
oauth_token.revoke_previous_refresh_token!
oauth_token
end
# Check if the request is GET/HEAD, or if CSRF token is valid.
def verified_request?
Gitlab::RequestForgeryProtection.verified?(current_request.env)
end
def ensure_action_dispatch_request(request)
return request if request.is_a?(ActionDispatch::Request)
ActionDispatch::Request.new(request.env)
end
def current_request
@current_request ||= ensure_action_dispatch_request(request)
end
end
end
end
|