diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-19 10:33:21 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-19 10:33:21 +0300 |
commit | 36a59d088eca61b834191dacea009677a96c052f (patch) | |
tree | e4f33972dab5d8ef79e3944a9f403035fceea43f /app/controllers/oauth | |
parent | a1761f15ec2cae7c7f7bbda39a75494add0dfd6f (diff) |
Add latest changes from gitlab-org/gitlab@15-0-stable-eev15.0.0-rc42
Diffstat (limited to 'app/controllers/oauth')
-rw-r--r-- | app/controllers/oauth/applications_controller.rb | 6 | ||||
-rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 17 |
2 files changed, 4 insertions, 19 deletions
diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb index 81084ffe38b..3724bb0d925 100644 --- a/app/controllers/oauth/applications_controller.rb +++ b/app/controllers/oauth/applications_controller.rb @@ -57,10 +57,8 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController @authorized_anonymous_tokens = @authorized_tokens.reject(&:application) @authorized_apps = @authorized_tokens.map(&:application).uniq.reject(&:nil?) - # Default access tokens to expire. This preserves backward compatibility - # with existing applications. This will be removed in 15.0. - # Removal issue: https://gitlab.com/gitlab-org/gitlab/-/issues/340848 - @application ||= Doorkeeper::Application.new(expire_access_tokens: true) + # Don't overwrite a value possibly set by `create` + @application ||= Doorkeeper::Application.new end # Override Doorkeeper to scope to the current user diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index d1c409d071e..0817813f967 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -5,7 +5,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController include InitializesCurrentUserMode include Gitlab::Utils::StrongMemoize - before_action :verify_confirmed_email!, :verify_confidential_application! + before_action :verify_confirmed_email! layout 'profile' @@ -37,8 +37,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController # limit scopes when signing in with GitLab def downgrade_scopes! - return unless Feature.enabled?(:omniauth_login_minimal_scopes, current_user, - default_enabled: :yaml) + return unless Feature.enabled?(:omniauth_login_minimal_scopes, current_user) auth_type = params.delete('gl_auth_type') return unless auth_type == 'login' @@ -78,18 +77,6 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController doorkeeper_application&.includes_scope?(*::Gitlab::Auth::API_SCOPES) end - # Confidential apps require the client_secret to be sent with the request. - # Doorkeeper allows implicit grant flow requests (response_type=token) to - # work without client_secret regardless of the confidential setting. - # This leads to security vulnerabilities and we want to block it. - def verify_confidential_application! - render 'doorkeeper/authorizations/error' if authorizable_confidential? - end - - def authorizable_confidential? - pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential - end - def verify_confirmed_email! return if current_user&.confirmed? |