Commit dc95bcbb authored by Timothy Andrew's avatar Timothy Andrew

Refactor access token validation in `Gitlab::Auth`

- Based on @dbalexandre's review
- Extract token validity conditions into two separate methods, for
  personal access tokens and OAuth tokens.
parent 990ae6b8
...@@ -92,7 +92,7 @@ module Gitlab ...@@ -92,7 +92,7 @@ module Gitlab
def oauth_access_token_check(login, password) def oauth_access_token_check(login, password)
if login == "oauth2" && password.present? if login == "oauth2" && password.present?
token = Doorkeeper::AccessToken.by_token(password) token = Doorkeeper::AccessToken.by_token(password)
if token && token.accessible? && token_has_scope?(token) if valid_oauth_token?(token)
user = User.find_by(id: token.resource_owner_id) user = User.find_by(id: token.resource_owner_id)
Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities) Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities)
end end
...@@ -104,12 +104,20 @@ module Gitlab ...@@ -104,12 +104,20 @@ module Gitlab
token = PersonalAccessToken.active.find_by_token(password) token = PersonalAccessToken.active.find_by_token(password)
validation = User.by_login(login) validation = User.by_login(login)
if token && token.user == validation && token_has_scope?(token) if valid_personal_access_token?(token, validation)
Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities) Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities)
end end
end end
end end
def valid_oauth_token?(token)
token && token.accessible? && token_has_scope?(token)
end
def valid_personal_access_token?(token, user)
token && token.user == user && token_has_scope?(token)
end
def token_has_scope?(token) def token_has_scope?(token)
AccessTokenValidationService.sufficient_scope?(token, ['api']) AccessTokenValidationService.sufficient_scope?(token, ['api'])
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment