1 files changed, 26 insertions, 0 deletions
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index 93342fbad51..bd5aed0d964 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -54,6 +54,11 @@ module Gitlab
         User.find_by_feed_token(token) || raise(UnauthorizedError)
       end
 
+      def find_user_from_bearer_token
+        find_user_from_job_bearer_token ||
+          find_user_from_access_token
+      end
+
       def find_user_from_job_token
         return unless route_authentication_setting[:job_token_allowed]
         return find_user_from_basic_auth_job if route_authentication_setting[:job_token_allowed] == :basic_auth
@@ -92,6 +97,8 @@ module Gitlab
 
         validate_access_token!(scopes: [:api])
 
+        ::PersonalAccessTokens::LastUsedService.new(access_token).execute
+
         access_token.user || raise(UnauthorizedError)
       end
 
@@ -100,6 +107,8 @@ module Gitlab
 
         validate_access_token!
 
+        ::PersonalAccessTokens::LastUsedService.new(access_token).execute
+
         access_token.user || raise(UnauthorizedError)
       end
 
@@ -132,6 +141,9 @@ module Gitlab
       end
 
       def validate_access_token!(scopes: [])
+        # return early if we've already authenticated via a job token
+        return if @current_authenticated_job.present? # rubocop:disable Gitlab/ModuleWithInstanceVariables
+
         # return early if we've already authenticated via a deploy token
         return if @current_authenticated_deploy_token.present? # rubocop:disable Gitlab/ModuleWithInstanceVariables
 
@@ -151,6 +163,20 @@ module Gitlab
 
       private
 
+      def find_user_from_job_bearer_token
+        return unless route_authentication_setting[:job_token_allowed]
+
+        token = parsed_oauth_token
+        return unless token
+
+        job = ::Ci::Build.find_by_token(token)
+        return unless job
+
+        @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
+
+        job.user
+      end
+
       def route_authentication_setting
         return {} unless respond_to?(:route_setting)