Add latest changes from gitlab-org/gitlab@15-0-stable-eev15.0.0-rc42

2 files changed, 4 insertions, 19 deletions

diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb
index 81084ffe38b..3724bb0d925 100644
--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
@@ -57,10 +57,8 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
     @authorized_anonymous_tokens = @authorized_tokens.reject(&:application)
     @authorized_apps = @authorized_tokens.map(&:application).uniq.reject(&:nil?)
 
-    # Default access tokens to expire. This preserves backward compatibility
-    # with existing applications. This will be removed in 15.0.
-    # Removal issue: https://gitlab.com/gitlab-org/gitlab/-/issues/340848
-    @application ||= Doorkeeper::Application.new(expire_access_tokens: true)
+    # Don't overwrite a value possibly set by `create`
+    @application ||= Doorkeeper::Application.new
   end
 
   # Override Doorkeeper to scope to the current user
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index d1c409d071e..0817813f967 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -5,7 +5,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   include InitializesCurrentUserMode
   include Gitlab::Utils::StrongMemoize
 
-  before_action :verify_confirmed_email!, :verify_confidential_application!
+  before_action :verify_confirmed_email!
 
   layout 'profile'
 
@@ -37,8 +37,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
 
   # limit scopes when signing in with GitLab
   def downgrade_scopes!
-    return unless Feature.enabled?(:omniauth_login_minimal_scopes, current_user,
-                                   default_enabled: :yaml)
+    return unless Feature.enabled?(:omniauth_login_minimal_scopes, current_user)
 
     auth_type = params.delete('gl_auth_type')
     return unless auth_type == 'login'
@@ -78,18 +77,6 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
     doorkeeper_application&.includes_scope?(*::Gitlab::Auth::API_SCOPES)
   end
 
-  # Confidential apps require the client_secret to be sent with the request.
-  # Doorkeeper allows implicit grant flow requests (response_type=token) to
-  # work without client_secret regardless of the confidential setting.
-  # This leads to security vulnerabilities and we want to block it.
-  def verify_confidential_application!
-    render 'doorkeeper/authorizations/error' if authorizable_confidential?
-  end
-
-  def authorizable_confidential?
-    pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential
-  end
-
   def verify_confirmed_email!
     return if current_user&.confirmed?