Log a warning when JWT cannot be decoded in dependency proxy auth
What does this MR do and why?
Some users have experienced intermittent authentication failures when using the dependency proxy. A 401 might be returned if the JWT token can't be decoded for some reason. Previously we quietly discarded the token, but this commit adds a log message to track the frequency of this.
Relates to #332827
How to set up and validate locally
It's a bit surprising to me the auth endpoint uses /v2
: https://gitlab.com/gitlab-org/gitlab/-/blob/ee513ee6b441894c0d68bc96d8891f547a45e7a2/config/routes/group.rb#L163
You can test this by injecting some arbitrary JWT:
curl -v -X GET -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" https://host.docker.internal:3443/v2
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Stan Hu