Return 401 token invalid form graphql
What does this MR do and why?
Return 401 token invalid form graphql
We did not previously differentiate between no auth provided vs invalid auth. This introduces a check if some form of authentication token is present but not recognised.
Screenshots or screen recordings
# No auth:
lee@Lees-MacBook-Pro gitlab % curl http://gdk.test:3000/api/graphql \
--header 'Content-Type: application/json' \
--data '{ "query": "query { currentUser { username } }" }' -v
* Trying 127.0.0.1:3000...
* Connected to gdk.test (127.0.0.1) port 3000 (#0)
> POST /api/graphql HTTP/1.1
> Host: gdk.test:3000
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type: application/json
> Content-Length: 49
>
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate
< Content-Length: 29
< Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 http://127.0.0.1:9000/lfs-objects/; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com 'nonce-JQQzLZddbYYxHTiBLOx8ew=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
< Content-Type: application/json; charset=utf-8
< Etag: W/"f3951f0268200a69d1aa45c61283e7f5"
< Permissions-Policy: interest-cohort=()
< Referrer-Policy: strict-origin-when-cross-origin
< Vary: Accept, Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Gitlab-Meta: {"correlation_id":"01HAQ13VQ9BQSHYWAKDD64SBW2","version":"1"}
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: 01HAQ13VQ9BQSHYWAKDD64SBW2
< X-Runtime: 0.154514
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Date: Tue, 19 Sep 2023 15:32:05 GMT
<
* Connection #0 to host gdk.test left intact
{"data":{"currentUser":null}}%
# Valid auth:
lee@Lees-MacBook-Pro gitlab % curl http://gdk.test:3000/api/graphql \
--header 'Content-Type: application/json' \
--header "PRIVATE_TOKEN: glpat-2tJ7iuLd8B3QvFvKhTZf" \
--data '{ "query": "query { currentUser { username } }" }' -v
* Trying 127.0.0.1:3000...
* Connected to gdk.test (127.0.0.1) port 3000 (#0)
> POST /api/graphql HTTP/1.1
> Host: gdk.test:3000
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type: application/json
> PRIVATE_TOKEN: glpat-2tJ7iuLd8B3QvFvKhTZf
> Content-Length: 49
>
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate
< Content-Length: 44
< Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 http://127.0.0.1:9000/lfs-objects/; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com 'nonce-lzefVtLjCsBrGiTRJZH6qQ=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
< Content-Type: application/json; charset=utf-8
< Etag: W/"57341db0704e500f374e4bf8d5302a47"
< Permissions-Policy: interest-cohort=()
< Referrer-Policy: strict-origin-when-cross-origin
< Vary: Accept, Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Gitlab-Meta: {"correlation_id":"01HAQ17FNFS6JTV7DVJNQBCZYY","version":"1"}
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: 01HAQ17FNFS6JTV7DVJNQBCZYY
< X-Runtime: 0.425283
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Date: Tue, 19 Sep 2023 15:34:04 GMT
<
* Connection #0 to host gdk.test left intact
{"data":{"currentUser":{"username":"root"}}}%
# Invalid auth:
lee@Lees-MacBook-Pro gitlab % curl http://gdk.test:3000/api/graphql \
--header 'Content-Type: application/json' \
--header "PRIVATE-TOKEN: 1234" \
--data '{ "query": "query { currentUser { username } }" }' -v
* Trying 127.0.0.1:3000...
* Connected to gdk.test (127.0.0.1) port 3000 (#0)
> POST /api/graphql HTTP/1.1
> Host: gdk.test:3000
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type: application/json
> PRIVATE-TOKEN: 1234
> Content-Length: 49
>
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-cache
< Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 http://127.0.0.1:9000/lfs-objects/; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com 'nonce-/Paxx/eNWOJF2lR9xg01TA=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
< Content-Type: application/json; charset=utf-8
< Permissions-Policy: interest-cohort=()
< Referrer-Policy: strict-origin-when-cross-origin
< Vary: Accept, Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Gitlab-Custom-Error: 1
< X-Gitlab-Meta: {"correlation_id":"01HAQ15FHQ18P9N2MHP3W1RV3F","version":"1"}
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: 01HAQ15FHQ18P9N2MHP3W1RV3F
< X-Runtime: 0.048306
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Date: Tue, 19 Sep 2023 15:32:58 GMT
< Content-Length: 40
<
* Connection #0 to host gdk.test left intact
{"errors":[{"message":"Token invalid"}]}%
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #270055 (closed)