Skip to content

Only allow documented token types for GraphQL authentication

Andrew Evans requested to merge 442520-graphql-minimal-auth into master

What does this MR do and why?

Only allow documented token types for GraphQL authentication

Currently, some token types besides those documented in the Token authentication section of the GraphQL docs can be used to authenticate a user for GraphQL. This MR ensures that only the documented token types are usable, once the associated feature flag is enabled.

Further context and discussion here (private link)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
before_screenshot after_screenshot

How to set up and validate locally

  1. Set up a project locally with git lfs
  2. enable the feature on the Rails console: Feature.enable(:graphql_minimal_auth_methods)
  3. Get an LFS token via the ssh interface: ssh -p 2222 git@<LOCAL_HOSTNAME> git-lfs-authenticate <NAMESPACE>/<PROJECT_NAME>.git download
  4. Copy the token from the "header":{"Authorization":"Basic <COPY_THIS_TOKEN> section
  5. Make a GraphQL request to http(s)://<HOSTNAME>:<PORT>/api/graphql.git using the token in the Authorization: Basic <COPIED_TOKEN> header:
    curl -X "POST" "http://localhost:3000/api/graphql.git" -H 'Content-Type: application/json; charset=utf-8' -u 'USERNAME:COPIED_TOKEN' -d $'{"query": "query{currentUser{id username}}","variables": {}}'
  6. The request should no longer be authenticated; currentUser should return null and restricted resources should not be accessible.

Related to #442520

Edited by Andrew Evans

Merge request reports