Shorten session TTL of anonymous blob access (!70444) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-limit-unauth-project-session-ttl into master Sep 15, 2021

What does this MR do and why?

GitLab 11.2 limited the time-to-live (TTL) of unauthenticated sessions via !6586 (merged) using before_action in ApplicationController. However, this broke OAuth2 logins, which set the current_user after a login is successful, so we moved it to an after_action in gitlab-foss!21144 (merged).

However, anonymous users attempting to access a private or internal project would be redirected to the sign-in page with a long session time. This happened because ApplicationController#route_not_found would be called by find_routable! when a user did not have access to the project.

To fix this, we bring back the before_action and add a check in after_action to bump up the session time if there is a user.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/340967

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 15, 2021 by Stan Hu

Shorten session TTL of anonymous blob access

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports