Commit 43a682cc authored by Michael Kozono's avatar Michael Kozono Committed by Francisco Lopez

Fix OAuth API and RSS rate limiting

parent d8703071
...@@ -125,7 +125,7 @@ class ApplicationController < ActionController::Base ...@@ -125,7 +125,7 @@ class ApplicationController < ActionController::Base
# This filter handles private tokens, personal access tokens, and atom # This filter handles private tokens, personal access tokens, and atom
# requests with rss tokens # requests with rss tokens
def authenticate_sessionless_user! def authenticate_sessionless_user!
user = Gitlab::Auth.find_sessionless_user(request) user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user
sessionless_sign_in(user) if user sessionless_sign_in(user) if user
>>>>>>> Add request throttles >>>>>>> Add request throttles
......
...@@ -45,7 +45,7 @@ class Rack::Attack ...@@ -45,7 +45,7 @@ class Rack::Attack
end end
def authenticated_user_id def authenticated_user_id
session_user_id || sessionless_user_id Gitlab::Auth::RequestAuthenticator.new(self).user&.id
end end
def api_request? def api_request?
...@@ -55,15 +55,5 @@ class Rack::Attack ...@@ -55,15 +55,5 @@ class Rack::Attack
def web_request? def web_request?
!api_request? !api_request?
end end
private
def session_user_id
Gitlab::Auth.find_session_user(self)&.id
end
def sessionless_user_id
Gitlab::Auth.find_sessionless_user(self)&.id
end
end end
end end
...@@ -82,36 +82,6 @@ module Gitlab ...@@ -82,36 +82,6 @@ module Gitlab
end end
end end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def find_user_by_private_token(request)
token = request.params['private_token'].presence || request.env['HTTP_PRIVATE_TOKEN'].presence
return unless token.present?
User.find_by_authentication_token(token) || User.find_by_personal_access_token(token)
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def find_user_by_rss_token(request)
return unless request.params['format'] == 'atom'
token = request.params['rss_token'].presence
return unless token.present?
User.find_by_rss_token(token)
end
def find_session_user(request)
request.env['warden']&.authenticate
end
def find_sessionless_user(request)
find_user_by_private_token(request) || find_user_by_rss_token(request)
end
private private
def service_request_check(login, password, project) def service_request_check(login, password, project)
......
# Use for authentication only, in particular for Rack::Attack.
# Does not perform authorization of scopes, etc.
module Gitlab
module Auth
class RequestAuthenticator
def initialize(request)
@request = request
end
def user
find_sessionless_user || find_session_user
end
def find_sessionless_user
find_user_by_private_token || find_user_by_rss_token || find_user_by_oauth_token
end
private
def find_session_user
@request.env['warden']&.authenticate if verified_request?
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def find_user_by_private_token
token = @request.params['private_token'].presence || @request.env['HTTP_PRIVATE_TOKEN'].presence
return unless token.present?
User.find_by_authentication_token(token) || User.find_by_personal_access_token(token)
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def find_user_by_rss_token
return unless @request.path.ends_with?('atom') || @request.env['HTTP_ACCEPT'] == 'application/atom+xml'
token = @request.params['rss_token'].presence
return unless token.present?
User.find_by_rss_token(token)
end
def find_user_by_oauth_token
access_token = find_oauth_access_token
access_token&.user
end
def find_oauth_access_token
token = Doorkeeper::OAuth::Token.from_request(doorkeeper_request, *Doorkeeper.configuration.access_token_methods)
OauthAccessToken.by_token(token) if token
end
def doorkeeper_request
ActionDispatch::Request.new(@request.env)
end
# Check if the request is GET/HEAD, or if CSRF token is valid.
def verified_request?
Gitlab::RequestForgeryProtection.verified?(@request.env)
end
end
end
end
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment