Removing private token

374179a9 · Francisco Lopez · 41ebd06d · 374179a9 · 374179a9 · 374179a9
Commit 374179a9 authored Nov 08, 2017 by Francisco Lopez
3 changed files
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -45,6 +45,7 @@ module API
      include Gitlab::Utils::StrongMemoize

      def find_current_user!
+        set_raise_unauthorized_error
        user = find_user_from_access_token || find_user_from_warden
        return unless user

@@ -74,12 +75,6 @@ module API

      private

-      def handle_return_value!(value, &block)
-        raise UnauthorizedError unless value
-
-        block_given? ? yield(value) : value
-      end
-
      def private_token
        params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence
      end

--- a/lib/gitlab/auth/user_auth_finders.rb
+++ b/lib/gitlab/auth/user_auth_finders.rb
@@ -29,7 +29,9 @@ module Gitlab
      private

      def handle_return_value!(value, &block)
-        return unless value
+        unless value
+          raise_unauthorized_error? ? raise_unauthorized_error! : return
+        end

        block_given? ? yield(value) : value
      end
@@ -75,6 +77,18 @@ module Gitlab

        ActionDispatch::Request.new(request.env)
      end
+
+      def raise_unauthorized_error?
+        defined?(@raise_unauthorized_error) ? @raise_unauthorized_error : false
+      end
+
+      def set_raise_unauthorized_error
+        @raise_unauthorized_error = true
+      end
+
+      def raise_unauthorized_error!
+        raise API::APIGuard::UnauthorizedError
+      end
    end
  end
 end
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -189,26 +189,6 @@ describe 'Rack Attack global throttles' do
    end
  end

-  describe 'API requests authenticated with private token', :api do
-    let(:user) { create(:user) }
-    let(:other_user) { create(:user) }
-    let(:throttle_setting_prefix) { 'throttle_authenticated_api' }
-
-    context 'with the token in the query string' do
-      let(:get_args) { [api(api_partial_url, user)] }
-      let(:other_user_get_args) { [api(api_partial_url, other_user)] }
-
-      it_behaves_like 'rate-limited token-authenticated requests'
-    end
-
-    context 'with the token in the headers' do
-      let(:get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(user)) }
-      let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(other_user)) }
-
-      it_behaves_like 'rate-limited token-authenticated requests'
-    end
-  end
-
  describe 'API requests authenticated with personal access token', :api do
    let(:user) { create(:user) }
    let(:token) { create(:personal_access_token, user: user) }
@@ -261,13 +241,6 @@ describe 'Rack Attack global throttles' do
    let(:throttle_setting_prefix) { 'throttle_authenticated_web' }

    context 'with the token in the query string' do
-      context 'with the atom extension' do
-        let(:get_args) { [rss_url(user)] }
-        let(:other_user_get_args) { [rss_url(other_user)] }
-
-        it_behaves_like 'rate-limited token-authenticated requests'
-      end
-
      context 'with the atom format in the Accept header' do
        let(:get_args) { [rss_url(user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }
        let(:other_user_get_args) { [rss_url(other_user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }