Add archive as valid web access format

Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/28978 Changelog: fixed Add unit tests Update note on find_user_from_web_access_token

Add archive as valid web access format
Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/28978 Changelog: fixed Add unit tests Update note on find_user_from_web_access_token
31fd5496 · Jaime Martinez · 4ea7a86e · 31fd5496 · 31fd5496
Commit 31fd5496 authored Jun 21, 2021 by Jaime Martinez
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 2 deletions

lib/gitlab/auth/auth_finders.rb lib/gitlab/auth/auth_finders.rb +5 -1

spec/lib/gitlab/auth/auth_finders_spec.rb spec/lib/gitlab/auth/auth_finders_spec.rb +11 -1

No files found.
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -89,9 +89,11 @@ module Gitlab
        job.user
      end
-      # We only allow Private Access Tokens with `api` scope to be used by web
+      # We allow Private Access Tokens with `api` scope to be used by web
      # requests on RSS feeds or ICS files for backwards compatibility.
      # It is also used by GraphQL/API requests.
+      # And to allow accessing /archive programatically as it was a big pain point
+      # for users https://gitlab.com/gitlab-org/gitlab/-/issues/28978.
      def find_user_from_web_access_token(request_format, scopes: [:api])
        return unless access_token && valid_web_access_format?(request_format)
@@ -269,6 +271,8 @@ module Gitlab
          ics_request?
        when :api
          api_request?
+        when :archive
+          archive_request?
        end
      end

--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -460,7 +460,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
      expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
    end
-    context 'no feed or API requests' do
+    context 'no feed, API or archive requests' do
      it 'returns nil if the request is not RSS' do
        expect(find_user_from_web_access_token(:rss)).to be_nil
      end
@@ -472,6 +472,10 @@ RSpec.describe Gitlab::Auth::AuthFinders do
      it 'returns nil if the request is not API' do
        expect(find_user_from_web_access_token(:api)).to be_nil
      end
+      it 'returns nil if the request is not ARCHIVE' do
+        expect(find_user_from_web_access_token(:archive)).to be_nil
+      end
    end
    it 'returns the user for RSS requests' do
@@ -486,6 +490,12 @@ RSpec.describe Gitlab::Auth::AuthFinders do
      expect(find_user_from_web_access_token(:ics)).to eq(user)
    end
+    it 'returns the user for ARCHIVE requests' do
+      set_header('SCRIPT_NAME', '/-/archive/main.zip')
+      expect(find_user_from_web_access_token(:archive)).to eq(user)
+    end
    context 'for API requests' do
      it 'returns the user' do
        set_header('SCRIPT_NAME', '/api/endpoint')