Merge branch '28978-fix-assets-redirect-to-login' into 'master'

Add archive as valid web access format See merge request gitlab-org/gitlab!64471

Merge branch '28978-fix-assets-redirect-to-login' into 'master'
Add archive as valid web access format See merge request gitlab-org/gitlab!64471
64779a74 · Shinya Maeda · 9643798a · b321324e · 64779a74 · 64779a74
Commit 64779a74 authored Jul 05, 2021 by Shinya Maeda
3 changed files
--- a/config/feature_flags/development/allow_archive_as_web_access_format.yml
+++ b/config/feature_flags/development/allow_archive_as_web_access_format.yml
+---
+name: allow_archive_as_web_access_format
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/64471
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/334944
+milestone: '14.1'
+type: development
+group: group::release
+default_enabled: false
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -89,9 +89,11 @@ module Gitlab
        job.user
      end

-      # We only allow Private Access Tokens with `api` scope to be used by web
+      # We allow Private Access Tokens with `api` scope to be used by web
      # requests on RSS feeds or ICS files for backwards compatibility.
      # It is also used by GraphQL/API requests.
+      # And to allow accessing /archive programatically as it was a big pain point
+      # for users https://gitlab.com/gitlab-org/gitlab/-/issues/28978.
      def find_user_from_web_access_token(request_format, scopes: [:api])
        return unless access_token && valid_web_access_format?(request_format)

@@ -269,6 +271,8 @@ module Gitlab
          ics_request?
        when :api
          api_request?
+        when :archive
+          archive_request? if Feature.enabled?(:allow_archive_as_web_access_format, default_enabled: :yaml)
        end
      end


--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -460,7 +460,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
      expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
    end

-    context 'no feed or API requests' do
+    context 'no feed, API or archive requests' do
      it 'returns nil if the request is not RSS' do
        expect(find_user_from_web_access_token(:rss)).to be_nil
      end
@@ -472,6 +472,10 @@ RSpec.describe Gitlab::Auth::AuthFinders do
      it 'returns nil if the request is not API' do
        expect(find_user_from_web_access_token(:api)).to be_nil
      end
+
+      it 'returns nil if the request is not ARCHIVE' do
+        expect(find_user_from_web_access_token(:archive)).to be_nil
+      end
    end

    it 'returns the user for RSS requests' do
@@ -486,6 +490,24 @@ RSpec.describe Gitlab::Auth::AuthFinders do
      expect(find_user_from_web_access_token(:ics)).to eq(user)
    end

+    it 'returns the user for ARCHIVE requests' do
+      set_header('SCRIPT_NAME', '/-/archive/main.zip')
+
+      expect(find_user_from_web_access_token(:archive)).to eq(user)
+    end
+
+    context 'when allow_archive_as_web_access_format feature flag is disabled' do
+      before do
+        stub_feature_flags(allow_archive_as_web_access_format: false)
+      end
+
+      it 'returns nil for ARCHIVE requests' do
+        set_header('SCRIPT_NAME', '/-/archive/main.zip')
+
+        expect(find_user_from_web_access_token(:archive)).to be_nil
+      end
+    end
+
    context 'for API requests' do
      it 'returns the user' do
        set_header('SCRIPT_NAME', '/api/endpoint')