Avoid namespace fetch from customersDot when trial creation triggered from GitLab
Summary
Currently, the (/trials/new
) process is:
- In GitLab after selecting or creating a group, trigger a trial on CustomersDot
- On CustomersDot, ask GitLab(via api call) some things about the namespace -
'id', 'name', 'path', 'kind', 'trial_ends_on'
. - Create the trial on CustomersDot
- Respond to initial Post from GitLab.
- Update the namespace on GitLab with an admin token from CustomersDot in the background
Sometimes we are seeing step #2 fail due to token expiration or other reasons.
Solution
We could likely send the info that customersDot needs from #2 in the initial payload from GitLab in #1 and forgo asking GitLab for it again in #2.
This would eliminate the token error issues and also improve the process as we would remove a network call if the information was already in the trial creation payload.
#403054 (comment 1342685135)
Detailed plan from-
GitLab Side -
Validate post to trial generation first checks namespace for proper access for the user to send -
Send needed namespace info that CustomersDot needs in order to skip the get back to GitLab
-
-
CustomersDot side -
Validate X-Admin-Email
andX-Admin-Token
sent -
Validate needed namespace info exists in the payload from GitLab -
If all of the above is true, then skip the
get
back to GitLab for namespace info as we:- Already have it.
- Are confident it is coming from GitLab and user has proper permissions to apply a trial on that namespace.
-
If namespace info isn't provided in the payload and/or admin creds aren't used, then default to the current setup of using
get
.
-
Concerns
Does possibly removing this get
from GitLab in #2 remove any layers of security that it is implicitly providing? i.e. could someone post namespace info for a namespace they don't own and apply a trial to it? If so, is that different than it is today? - resolved see #403054 (comment 1333629325)