lib/api/internal/workhorse.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# frozen_string_literal: true

module API
  module Internal
    class Workhorse < ::API::Base
      feature_category :not_owned # rubocop:todo Gitlab/AvoidFeatureCategoryNotOwned

      before do
        verify_workhorse_api!
        content_type Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE
      end

      helpers do
        def request_authenticated?
          authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
          return true if authenticator.find_authenticated_requester([:api])

          # Look up user from warden, ignoring the absence of a CSRF token. For
          # web users the CSRF token can be in the POST form data but Workhorse
          # does not propagate the form data to us.
          !!request.env['warden']&.authenticate
        end
      end

      namespace 'internal' do
        namespace 'workhorse' do
          post 'authorize_upload' do
            unauthorized! unless request_authenticated?

            status 200
            { TempPath: File.join(::Gitlab.config.uploads.storage_path, 'uploads/tmp') }
          end
        end
      end
    end
  end
end