Set shorter TTL for all unauthenticated requests
GitLab 11.2 limited the time-to-live (TTL) of unauthenticated sessions via https://gitlab.com/gitlab-org/gitlab/merge_requests/6586 using `before_action` in `ApplicationController`. However, this broke OAuth2 logins, which set the `current_user` **after** a login is successful, so we moved it to an `after_action` in https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/21144. However, `after_action` isn't called if a exception is raised in the request cycle. Thus, in some situations, TTLs weren't always being set to a short value. This commit adds the TTL limiting to the Devise Failure App, which is run anytime the user is redirected to the sign-in page. Relates to https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/8247
Showing
Please register or sign in to comment