Commit 675fe4fe authored by Nick Thomas's avatar Nick Thomas

Avoid Devise "401 Unauthorized" responses

Instead, in GitLab, we want to redirect to the sign-in page. This
happens for most requests, but when Devise can't work out the request
format, or for certain other kinds of request, it will send a very poor
401 Unauthorized instead.

This is acceptable in certain cases (XHR or git clone requests, say),
but should not happen for user-visible requests - they should be
redirected to sign in, instead.
parent 94c2b462
---
title: Avoid Devise "401 Unauthorized" responses
merge_request: 16519
author:
type: fixed
......@@ -214,11 +214,9 @@ Devise.setup do |config|
# If you want to use other strategies, that are not supported by Devise, or
# change the failure app, you can configure them inside the config.warden block.
#
# config.warden do |manager|
# manager.failure_app = Gitlab::DeviseFailure
# manager.intercept_401 = false
# manager.default_strategies(scope: :user).unshift :some_external_strategy
# end
config.warden do |manager|
manager.failure_app = Gitlab::DeviseFailure
end
if Gitlab::Auth::LDAP::Config.enabled?
Gitlab::Auth::LDAP::Config.providers.each do |provider|
......
# frozen_string_literal: true
module Gitlab
class DeviseFailure < Devise::FailureApp
# If the request format is not known, send a redirect instead of a 401
# response, since this is the outcome we're most likely to want
def http_auth?
request_format && super
end
end
end
......@@ -171,16 +171,30 @@ describe ApplicationController do
end
describe '#route_not_found' do
controller(described_class) do
def index
route_not_found
end
end
it 'renders 404 if authenticated' do
allow(controller).to receive(:current_user).and_return(user)
expect(controller).to receive(:not_found)
controller.send(:route_not_found)
sign_in(user)
get :index
expect(response).to have_gitlab_http_status(404)
end
it 'redirects to login page via authenticate_user! if not authenticated' do
get :index
expect(response).to redirect_to new_user_session_path
end
it 'does redirect to login page via authenticate_user! if not authenticated' do
allow(controller).to receive(:current_user).and_return(nil)
expect(controller).to receive(:authenticate_user!)
controller.send(:route_not_found)
it 'redirects if unauthenticated and request format is unknown' do
get :index, format: 'unknown'
expect(response).to redirect_to new_user_session_path
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment