Commit 38c0cbcc authored by Timothy Andrew's avatar Timothy Andrew

Refactor access token validation in `Gitlab::Auth`

- Based on @dbalexandre's review
- Extract token validity conditions into two separate methods, for
  personal access tokens and OAuth tokens.
parent 4c1858c1
......@@ -97,7 +97,7 @@ module Gitlab
def oauth_access_token_check(login, password)
if login == "oauth2" && password.present?
token = Doorkeeper::AccessToken.by_token(password)
if token && token.accessible? && token_has_scope?(token)
if valid_oauth_token?(token)
user = User.find_by(id: token.resource_owner_id)
Gitlab::Auth::Result.new(user, nil, :oauth, read_authentication_abilities)
end
......@@ -109,12 +109,20 @@ module Gitlab
token = PersonalAccessToken.active.find_by_token(password)
validation = User.by_login(login)
if token && token.user == validation && token_has_scope?(token)
if valid_personal_access_token?(token, validation)
Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities)
end
end
end
def valid_oauth_token?(token)
token && token.accessible? && token_has_scope?(token)
end
def valid_personal_access_token?(token, user)
token && token.user == user && token_has_scope?(token)
end
def token_has_scope?(token)
AccessTokenValidationService.sufficient_scope?(token, ['api'])
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment