Allow token authentication on go-get request

author: Douwe Maan <douwe@gitlab.com> 2018-02-23 13:33:46 +0300
committer: Nick Thomas <nick@gitlab.com> 2018-02-23 13:33:46 +0300
commit: 7a6c7bd66bae678640c98ad426cd0153f638b163 (patch)
tree: 51dd1b18673e8f695ef2252b86c90b02148c269e /lib
parent: 981b5905a02ac89ca9f33ad7c91d8c1a576ed9af (diff)
2 files changed, 17 insertions, 1 deletions
diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb
index 46ec040ce92..a0b5cd868c3 100644
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -20,6 +20,14 @@ module Gitlab
       rescue Gitlab::Auth::AuthenticationError
         nil
       end
+
+      def valid_access_token?(scopes: [])
+        validate_access_token!(scopes: scopes)
+
+        true
+      rescue Gitlab::Auth::AuthenticationError
+        false
+      end
     end
   end
 end
diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index 1a570f480c6..1fd8f147b44 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -114,7 +114,15 @@ module Gitlab
       end
 
       def current_user(request)
-        request.env['warden']&.authenticate
+        authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
+        user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
+
+        return unless user&.can?(:access_api)
+
+        # Right now, the `api` scope is the only one that should be able to determine private project existence.
+        return unless authenticator.valid_access_token?(scopes: [:api])
+
+        user
       end
     end
   end
author	Douwe Maan <douwe@gitlab.com>	2018-02-23 13:33:46 +0300
committer	Nick Thomas <nick@gitlab.com>	2018-02-23 13:33:46 +0300
commit	7a6c7bd66bae678640c98ad426cd0153f638b163 (patch)
tree	51dd1b18673e8f695ef2252b86c90b02148c269e /lib
parent	981b5905a02ac89ca9f33ad7c91d8c1a576ed9af (diff)