Fix Rack Attack incorrectly rate limiting runner API
To update a job status, the runner uses the PUT /api/v4/:jobs endpoint with the job token in two places: 1. The PRIVATE-TOKEN header 2. The `token` parameter in the JSON body Previously `AuthFinders` looked up the PAT and raised an unauthorized exception because no user was found. Instead, it should continue to see if it can authenticate the job with the `token` parameter. This commit makes `access_token` return blank if it has the CI build token prefix so that the exception is not raised. That way Rack Attack can then ensure the request is authenticated with the job token. Changelog: fixed
上级
212741ae
No related branches found
No related tags found
显示
- lib/gitlab/auth/auth_finders.rb 5 个添加, 0 个删除lib/gitlab/auth/auth_finders.rb
- spec/lib/gitlab/auth/auth_finders_spec.rb 8 个添加, 0 个删除spec/lib/gitlab/auth/auth_finders_spec.rb
- spec/support/helpers/http_basic_auth_helpers.rb 4 个添加, 0 个删除spec/support/helpers/http_basic_auth_helpers.rb
- spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb 1 个添加, 1 个删除...red_examples/requests/api/npm_packages_shared_examples.rb
加载中
想要评论请 注册 或 登录