diff options
Diffstat (limited to 'lib/gitlab/auth/auth_finders.rb')
-rw-r--r-- | lib/gitlab/auth/auth_finders.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index f3975fe219a..caa881eeeab 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -46,6 +46,7 @@ module Gitlab def find_user_from_feed_token(request_format) return unless valid_rss_format?(request_format) + return if Gitlab::CurrentSettings.disable_feed_token # NOTE: feed_token was renamed from rss_token but both needs to be supported because # users might have already added the feed to their RSS reader before the rename @@ -193,6 +194,10 @@ module Gitlab def access_token strong_memoize(:access_token) do + # The token can be a PAT or an OAuth (doorkeeper) token + # It is also possible that a PAT is encapsulated in a `Bearer` OAuth token + # (e.g. NPM client registry auth), this case will be properly handled + # by find_personal_access_token find_oauth_access_token || find_personal_access_token end end @@ -236,7 +241,7 @@ module Gitlab end def matches_personal_access_token_length?(token) - token.length == PersonalAccessToken::TOKEN_LENGTH + PersonalAccessToken::TOKEN_LENGTH_RANGE.include?(token.length) end # Check if the request is GET/HEAD, or if CSRF token is valid. |