Skip to content

Implement authentication for Conan Packages API

Krasimir Angelov requested to merge 12568-conan-api-auth into master

What does this MR do?

This MR adds new Conan API endpoint /users/authenticate that when valid personal access tokens is provided (as password for HTTP Basic Auth) will respond with signed JWT that has the access token id in its payload.

For subsequent requests the JWT will be provided by the Conan client as bearer in the HTTP_AUTHORIZATION header, we'll fetch the access token by id from the DB, set it as current token and call the existing authenticate! method. See https://gitlab.com/gitlab-org/gitlab-ee/issues/12568#note_196431425 for more details around that.

Does this MR meet the acceptance criteria?

Conformity

Performance and testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #12568 (closed)

Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading