Fix OAuth API and RSS rate limiting

43a682cc · Michael Kozono · Francisco Lopez · d8703071 · 43a682cc · 43a682cc
Commit 43a682cc authored Oct 13, 2017 by Michael Kozono Committed by Francisco Lopez Nov 17, 2017
5 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -125,7 +125,7 @@ class ApplicationController < ActionController::Base
  # This filter handles private tokens, personal access tokens, and atom
  # requests with rss tokens
  def authenticate_sessionless_user!
-    user = Gitlab::Auth.find_sessionless_user(request)
+    user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user

    sessionless_sign_in(user) if user
 >>>>>>> Add request throttles

--- a/config/initializers/rack_attack_global.rb
+++ b/config/initializers/rack_attack_global.rb
@@ -45,7 +45,7 @@ class Rack::Attack
    end

    def authenticated_user_id
-      session_user_id || sessionless_user_id
+      Gitlab::Auth::RequestAuthenticator.new(self).user&.id
    end

    def api_request?
@@ -55,15 +55,5 @@ class Rack::Attack
    def web_request?
      !api_request?
    end
-
-    private
-
-    def session_user_id
-      Gitlab::Auth.find_session_user(self)&.id
-    end
-
-    def sessionless_user_id
-      Gitlab::Auth.find_sessionless_user(self)&.id
-    end
  end
 end
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -82,36 +82,6 @@ module Gitlab
        end
      end

-      # request may be Rack::Attack::Request which is just a Rack::Request, so
-      # we cannot use ActionDispatch::Request methods.
-      def find_user_by_private_token(request)
-        token = request.params['private_token'].presence || request.env['HTTP_PRIVATE_TOKEN'].presence
-
-        return unless token.present?
-
-        User.find_by_authentication_token(token) || User.find_by_personal_access_token(token)
-      end
-
-      # request may be Rack::Attack::Request which is just a Rack::Request, so
-      # we cannot use ActionDispatch::Request methods.
-      def find_user_by_rss_token(request)
-        return unless request.params['format'] == 'atom'
-
-        token = request.params['rss_token'].presence
-
-        return unless token.present?
-
-        User.find_by_rss_token(token)
-      end
-
-      def find_session_user(request)
-        request.env['warden']&.authenticate
-      end
-
-      def find_sessionless_user(request)
-        find_user_by_private_token(request) || find_user_by_rss_token(request)
-      end
-
      private

      def service_request_check(login, password, project)

--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
+# Use for authentication only, in particular for Rack::Attack.
+# Does not perform authorization of scopes, etc.
+module Gitlab
+  module Auth
+    class RequestAuthenticator
+      def initialize(request)
+        @request = request
+      end
+
+      def user
+        find_sessionless_user || find_session_user
+      end
+
+      def find_sessionless_user
+        find_user_by_private_token || find_user_by_rss_token || find_user_by_oauth_token
+      end
+
+      private
+
+      def find_session_user
+        @request.env['warden']&.authenticate if verified_request?
+      end
+
+      # request may be Rack::Attack::Request which is just a Rack::Request, so
+      # we cannot use ActionDispatch::Request methods.
+      def find_user_by_private_token
+        token = @request.params['private_token'].presence || @request.env['HTTP_PRIVATE_TOKEN'].presence
+        return unless token.present?
+
+        User.find_by_authentication_token(token) || User.find_by_personal_access_token(token)
+      end
+
+      # request may be Rack::Attack::Request which is just a Rack::Request, so
+      # we cannot use ActionDispatch::Request methods.
+      def find_user_by_rss_token
+        return unless @request.path.ends_with?('atom') || @request.env['HTTP_ACCEPT'] == 'application/atom+xml'
+
+        token = @request.params['rss_token'].presence
+        return unless token.present?
+
+        User.find_by_rss_token(token)
+      end
+
+      def find_user_by_oauth_token
+        access_token = find_oauth_access_token
+        access_token&.user
+      end
+
+      def find_oauth_access_token
+        token = Doorkeeper::OAuth::Token.from_request(doorkeeper_request, *Doorkeeper.configuration.access_token_methods)
+        OauthAccessToken.by_token(token) if token
+      end
+
+      def doorkeeper_request
+        ActionDispatch::Request.new(@request.env)
+      end
+
+      # Check if the request is GET/HEAD, or if CSRF token is valid.
+      def verified_request?
+        Gitlab::RequestForgeryProtection.verified?(@request.env)
+      end
+    end
+  end
+end
--- a/spec/requests/rack_attack_spec.rb
+++ b/spec/requests/rack_attack_spec.rb