Handle basic auth with PAT for Rack Attack
API routes which mimic external APIs - things like NuGet, our Go proxy, and our Terraform API - often allow a personal access token to be passed in basic auth.
We weren't handling that case in Rack Attack, which meant those requests were being handled by the unauthenticated throttle even when they were authenticated.
The easiest way to test this locally is to enable only one unauthenticated request per minute:
Then do this:
# Before
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 404 Not Found
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 429 Too Many Requests
# After
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 404 Not Found
$ curl -s -i --user "root:$GITLAB_API_TOKEN_LOCAL" http://localhost:3000/api/v4/projects/1/terraform/state/foo | head -n 1
HTTP/1.1 404 Not Found