Class: Gitlab::Middleware::StaticAssetsAuthorization

Inherits:
Object
  • Object
show all
Defined in:
lib/gitlab/middleware/static_assets_authorization.rb

Instance Method Summary collapse

Constructor Details

#initialize(app) ⇒ StaticAssetsAuthorization

Returns a new instance of StaticAssetsAuthorization.



6
7
8
 
# File 'lib/gitlab/middleware/static_assets_authorization.rb', line 6

def initialize(app)
  @app = app
end

Instance Method Details

#call(env) ⇒ Object 



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/gitlab/middleware/static_assets_authorization.rb', line 10

def call(env)
  # This middleware issues authorization headers for static assets requests. This functionality
  # is relevant to the Web IDE feature. In production environments, GitLab Workhorse
  # serves static assets. GitLab Workhorse sends an OPTIONS request to the Rails service
  # to dynamically generate authorization headers for Web IDE VSCode static assets.
  #
  # These authorization headers prevent cross-origin attacks by ensuring that 3rd-party
  # websites can't load these assets and in turn, inject arbitrary code into the Web IDE.
  #
  # See the workhorse implementation in workhorse/internal/staticpages/servefile.go in the
  # current repository.
  request = ActionDispatch::Request.new(env)

  return @app.call(env) unless handles_request?(request)

  headers = get_authorization_headers(request)

  return [204, headers, []] if request.method == 'OPTIONS'

  # Rails does not serve static assets on production environments.
  # Workhorse only sends assets HTTP requests on the development environment (18.6):
  #
  # https://gitlab.com/gitlab-org/gitlab/-/blob/18-6-stable-ee/workhorse/internal/upstream/routes.go?ref_type=heads#L311
  #
  # The code below was included to handle the scenario where GitLab font
  # assets are served by the Rails assets pipeline in dev and test environments.
  # Otherwise, tests fail.
  status, base_headers, body = @app.call(env)

  headers.merge!(base_headers)

  [status, headers, body]
end