OAuth2 support for GitLab personal access tokens

PATs are accepted using the OAuth2 compliant header
"Authorization: Bearer {token}" in order to allow for
OAuth requests while 2FA is enabled.

1 files changed, 14 insertions, 3 deletions

diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb
index a5efe33bdc6..bba7e2cbb3c 100644
--- a/lib/gitlab/auth/user_auth_finders.rb
+++ b/lib/gitlab/auth/user_auth_finders.rb
@@ -90,8 +90,8 @@ module Gitlab
       def find_personal_access_token
         token =
           current_request.params[PRIVATE_TOKEN_PARAM].presence ||
-          current_request.env[PRIVATE_TOKEN_HEADER].presence
-
+          current_request.env[PRIVATE_TOKEN_HEADER].presence ||
+          parsed_oauth_token
         return unless token
 
         # Expiration, revocation and scopes are verified in `validate_access_token!`
@@ -99,9 +99,12 @@ module Gitlab
       end
 
       def find_oauth_access_token
-        token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
+        token = parsed_oauth_token
         return unless token
 
+        # PATs with OAuth headers are not handled by OauthAccessToken
+        return if matches_personal_access_token_length?(token)
+
         # Expiration, revocation and scopes are verified in `validate_access_token!`
         oauth_token = OauthAccessToken.by_token(token)
         raise UnauthorizedError unless oauth_token
@@ -110,6 +113,14 @@ module Gitlab
         oauth_token
       end
 
+      def parsed_oauth_token
+        Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
+      end
+
+      def matches_personal_access_token_length?(token)
+        token.length == PersonalAccessToken::TOKEN_LENGTH
+      end
+
       # Check if the request is GET/HEAD, or if CSRF token is valid.
       def verified_request?
         Gitlab::RequestForgeryProtection.verified?(current_request.env)