Skip to content

Refactor jwt_controller to rely on auth results in a different manner

What does this MR do?

in #328692 there were remarks regarding how we handle find_for_git_client method results. This method is returning Gitlab::Auth::Result instance.

In Gitlab::Auth::Result as an actor we can have DeployToken or User, which is causing confusion and may lead to some problems: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1356.

My goal here is to create more resilient and less confusing code.

Goal 1: stop using .actor with checking the type.

Here I implemented this change in JwtController and services that depend on it.

Screenshots or Screencasts (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #328692

Edited by Gosia Ksionek

Merge request reports

Loading