Class: Gitlab::APIAuthentication::TokenResolver

Inherits:

Object

Object
Gitlab::APIAuthentication::TokenResolver

Includes:: ActiveModel::Validations

Defined in:: lib/gitlab/api_authentication/token_resolver.rb

Constant Summary collapse

UsernameAndPassword =

::Gitlab::APIAuthentication::TokenLocator::UsernameAndPassword

Instance Attribute Summary collapse

#token_type ⇒ Object readonly

Returns the value of attribute token_type.

Instance Method Summary collapse

#initialize(token_type) ⇒ TokenResolver constructor

A new instance of TokenResolver.
#resolve(raw) ⇒ Object

Existing behavior is known to be inconsistent across authentication methods with regards to whether to silently ignore present but invalid credentials or to raise an error/respond with 401.

Constructor Details

#initialize(token_type) ⇒ `TokenResolver`

Returns a new instance of TokenResolver.

# File 'lib/gitlab/api_authentication/token_resolver.rb', line 26

def initialize(token_type)
  @token_type = token_type
  validate!
end

Instance Attribute Details

#token_type ⇒ `Object` (readonly)

Returns the value of attribute token_type.



8
9
10

# File 'lib/gitlab/api_authentication/token_resolver.rb', line 8

def token_type
  @token_type
end

Instance Method Details

#resolve(raw) ⇒ `Object`

Existing behavior is known to be inconsistent across authentication methods with regards to whether to silently ignore present but invalid credentials or to raise an error/respond with 401.

If a token can be located from the provided credentials, but the token or credentials are in some way invalid, this implementation opts to raise an error.

For example, if the raw credentials include a username and password, and a token is resolved from the password, but the username does not match the token, an error will be raised.

See gitlab.com/gitlab-org/gitlab/-/issues/246569

# File 'lib/gitlab/api_authentication/token_resolver.rb', line 45

def resolve(raw)
  case @token_type
  when :personal_access_token
    resolve_personal_access_token raw

  when :job_token
    resolve_job_token raw

  when :deploy_token
    resolve_deploy_token raw

  when :personal_access_token_with_username
    resolve_personal_access_token_with_username raw

  when :job_token_with_username
    resolve_job_token_with_username raw

  when :deploy_token_with_username
    resolve_deploy_token_with_username raw

  when :personal_access_token_from_jwt
    resolve_personal_access_token_from_jwt raw

  when :deploy_token_from_jwt
    resolve_deploy_token_from_jwt raw

  when :job_token_from_jwt
    resolve_job_token_from_jwt raw
  end
end