Commit a7e2f96b authored by Stan Hu's avatar Stan Hu

Fix logins via OAuth2 geting logged out in an hour

Users without GitLab 2FA enabled would be logged out after an hour
due to a regression in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/20700.

The OAuth2 controller sets the current_user after the controller is finished, so
we should only limit session times after this has been done.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/50210
parent a3c2b39d
...@@ -11,7 +11,6 @@ class ApplicationController < ActionController::Base ...@@ -11,7 +11,6 @@ class ApplicationController < ActionController::Base
include EnforcesTwoFactorAuthentication include EnforcesTwoFactorAuthentication
include WithPerformanceBar include WithPerformanceBar
before_action :limit_unauthenticated_session_times
before_action :authenticate_sessionless_user! before_action :authenticate_sessionless_user!
before_action :authenticate_user! before_action :authenticate_user!
before_action :enforce_terms!, if: :should_enforce_terms? before_action :enforce_terms!, if: :should_enforce_terms?
...@@ -27,6 +26,7 @@ class ApplicationController < ActionController::Base ...@@ -27,6 +26,7 @@ class ApplicationController < ActionController::Base
around_action :set_locale around_action :set_locale
after_action :set_page_title_header, if: :json_request? after_action :set_page_title_header, if: :json_request?
after_action :limit_unauthenticated_session_times
protect_from_forgery with: :exception, prepend: true protect_from_forgery with: :exception, prepend: true
......
...@@ -162,6 +162,10 @@ describe ApplicationController do ...@@ -162,6 +162,10 @@ describe ApplicationController do
describe 'session expiration' do describe 'session expiration' do
controller(described_class) do controller(described_class) do
# The anonymous controller will report 401 and fail to run any actions.
# Normally, GitLab will just redirect you to sign in.
skip_before_action :authenticate_user!, only: :index
def index def index
render text: 'authenticated' render text: 'authenticated'
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment