Handle JWT::DecodeError in ConanToken instead of the API class

Update `find_personal_access_token_from_conan_jwt` finder to return nil and let `find_personal_access_token` to call `unauthorized!` if no access token is found.

Handle JWT::DecodeError in ConanToken instead of the API class
Update `find_personal_access_token_from_conan_jwt` finder to return nil and let `find_personal_access_token` to call `unauthorized!` if no access token is found.
a55d2e21 · Krasimir Angelov · 99c302f0 · a55d2e21 · a55d2e21 · a55d2e21
Commit a55d2e21 authored Aug 13, 2019 by Krasimir Angelov
Showing with 6 additions and 2 deletions

ee/lib/api/conan_packages.rb ee/lib/api/conan_packages.rb +1 -2

ee/lib/gitlab/conan_token.rb ee/lib/gitlab/conan_token.rb +1 -0

ee/spec/lib/gitlab/conan_token_spec.rb ee/spec/lib/gitlab/conan_token_spec.rb +4 -0

No files found.
--- a/ee/lib/api/conan_packages.rb
+++ b/ee/lib/api/conan_packages.rb
@@ -52,10 +52,9 @@ module API
        return unless jwt

        token = ::Gitlab::ConanToken.decode(jwt)
+        return unless token&.personal_access_token_id && token&.user_id

        PersonalAccessToken.find_by_id_and_user_id(token.personal_access_token_id, token.user_id)
-      rescue JWT::DecodeError
-        unauthorized!
      end

      def find_personal_access_token_from_conan_http_basic_auth

--- a/ee/lib/gitlab/conan_token.rb
+++ b/ee/lib/gitlab/conan_token.rb
@@ -15,6 +15,7 @@ module Gitlab
        payload = JSONWebToken::HMACToken.decode(jwt, secret).first

        new(personal_access_token_id: payload['pat'], user_id: payload['u'])
+      rescue JWT::DecodeError
      end

      def secret

--- a/ee/spec/lib/gitlab/conan_token_spec.rb
+++ b/ee/spec/lib/gitlab/conan_token_spec.rb
@@ -44,6 +44,10 @@ describe Gitlab::ConanToken do
      expect(token.personal_access_token_id).to eq(123)
      expect(token.user_id).to eq(456)
    end
+
+    it 'returns nil for invalid JWT' do
+      expect(described_class.decode('invalid-jwt')).to be_nil
+    end
  end

  describe '#to_jwt' do