Handle basic auth with PAT for Rack Attack (!48903) · Merge requests · GitLab.org / GitLab

Sean McGivern requested to merge basic-auth-rack-attack into master Dec 01, 2020

API routes which mimic external APIs - things like NuGet, our Go proxy, and our Terraform API - often allow a personal access token to be passed in basic auth.

We weren't handling that case in Rack Attack, which meant those requests were being handled by the unauthenticated throttle even when they were authenticated.

The easiest way to test this locally is to enable only one unauthenticated request per minute:

Then do this:

# Before
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 404 Not Found
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 429 Too Many Requests
# After
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 404 Not Found
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 404 Not Found

For gitlab-com/gl-infra/scalability#695 (closed).

Handle basic auth with PAT for Rack Attack

Merge request reports