Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user`

5f5d8a8e · Patricio Cano · f971026a · 5f5d8a8e · 5f5d8a8e
Commit 5f5d8a8e authored Aug 15, 2016 by Patricio Cano
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 10 deletions

app/controllers/projects/git_http_client_controller.rb app/controllers/projects/git_http_client_controller.rb +8 -8

lib/gitlab/auth.rb lib/gitlab/auth.rb +8 -2

No files found.
--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -27,9 +27,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
        @ci = true
      elsif auth_result.type == :oauth && !download_request?
        # Not allowed
+      elsif auth_result.type == :missing_personal_token
+        render_missing_personal_token
+        return # Render above denied access, nothing left to do
      else
        @user = auth_result.user
-        check_2fa(auth_result.type)
      end
      if ci? || user
@@ -92,13 +94,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
    [nil, nil]
  end
-  def check_2fa(auth_type)
+  def render_missing_personal_token
-    if user && user.two_factor_enabled? && auth_type == :gitlab_or_ldap
+    render plain: "HTTP Basic: Access denied\n"\
-      render plain: "HTTP Basic: Access denied\n"\
+                  "You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\
-                      "You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\
+                  "You can generate one at #{profile_personal_access_tokens_url}",
-                      "You can generate one at #{profile_personal_access_tokens_url}",
+           status: 401
-             status: 401
-    end
  end
  def repository

--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -11,14 +11,20 @@ module Gitlab
        if valid_ci_request?(login, password, project)
          result.type = :ci
        elsif result.user = find_with_user_password(login, password)
-          result.type = :gitlab_or_ldap
+          if result.user.two_factor_enabled?
+            result.user = nil
+            result.type = :missing_personal_token
+          else
+            result.type = :gitlab_or_ldap
+          end
        elsif result.user = oauth_access_token_check(login, password)
          result.type = :oauth
        elsif result.user = personal_access_token_check(login, password)
          result.type = :personal_token
        end
-        rate_limit!(ip, success: !!result.user || (result.type == :ci), login: login)
+        success = result.user.present? || [:ci, :missing_personal_token].include?(result.type)
+        rate_limit!(ip, success: success, login: login)
        result
      end