Skip to content

Return 401 status when fixed pre-authorizer gets 401 from gitlab-rails

Background

From gitlab-com/gl-infra/production#14484 (comment 1398664530).

When a user makes a multipart request, workhorse will pre-authorize it first by making a request to gitlab-rails (via POST /api/:version/internal/workhorse/authorize_upload endpoint). That endpoint returns 401 when user is not authorized. When workhorse gets that response, it will currently return and logs a 500 response.

Proposal

Handle 401 response from gitlab-rails when pre-authorizing using api.PreAuthorizeFixedPath() in upload.interceptMultipartFiles().

We could do the following:

  1. In api.PreAuthorizeFixedPath, we can return a custom error if failureResponse.StatusCode is a 401.
  2. In upload.interceptMultipartFiles, check if err is the custom error then call fail.Request with fail.WithStatus(http.StatusUnauthorized).

This would log the error just like before but will return 401 as status instead of a 500.

Edited by Patrick Bajao