Authenticate the internal API using a header

Instead of mixing in the shared secret into the querystring or body,
we could also specify it in a header.

lib/api/helpers.rb

@@ -6,6 +6,7 @@ module API
     include Helpers::Pagination
 
     SUDO_HEADER = "HTTP_SUDO".freeze
+    GITLAB_SHARED_SECRET_HEADER = "Gitlab-Shared-Secret".freeze
     SUDO_PARAM = :sudo
     API_USER_ENV = 'gitlab.api.user'.freeze
 
@@ -212,10 +213,12 @@ module API
     end
 
     def authenticate_by_gitlab_shell_token!
-      input = params['secret_token'].try(:chomp)
-      unless Devise.secure_compare(secret_token, input)
-        unauthorized!
-      end
+      input = params['secret_token']
+      input ||= Base64.decode64(headers[GITLAB_SHARED_SECRET_HEADER]) if headers.key?(GITLAB_SHARED_SECRET_HEADER)
+
+      input&.chomp!
+
+      unauthorized! unless Devise.secure_compare(secret_token, input)
     end
 
     def authenticated_with_full_private_access!

spec/requests/api/internal_spec.rb

@@ -26,6 +26,21 @@ describe API::Internal do
 
       expect(json_response['redis']).to be(false)
     end
+
+    context 'authenticating' do
+      it 'authenticates using a header' do
+        get api("/internal/check"),
+            headers: { API::Helpers::GITLAB_SHARED_SECRET_HEADER => Base64.encode64(secret_token) }
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'returns 401 when no credentials provided' do
+        get(api("/internal/check"))
+
+        expect(response).to have_gitlab_http_status(401)
+      end
+    end
   end
 
   describe 'GET /internal/broadcast_message' do