Add JWT token authentication to Mailroom gem's postback delivery strategy
Although mail_room supports postback delivery method, the only authentication configuration is to use a token header. Internally, mail_room gem uses Faraday and its token_auth authentication method. This method adds a configured token to Authorization header: Authorization: Token token="something". This authentication header seems not to be suitable for GitLab source code. As the webhook API (#1457 (closed)) we intended to implement is an internal API, we can follow or re-use the authentication implementation of other similar internal APIs.
-
gitlab-shell compares the token fetched from request's
Gitlab-Shared-Secretheader with a configured secret token. -
Gitlab pages decodes the JWT token fetched from request's
Gitlab-Pages-Api-Requestheader. -
Gitlab KAS decodes the JWT token fetched from request's
Gitlab-Kas-Api-Requestheader.
The JWT token seems to be a decent solution. The new JWT configuration looks something like:
:email: "user8@gmail.com"
:password: "password"
:name: "inbox"
:delivery_method: postback
:delivery_options:
:delivery_url: "http://localhost:3000/inbox"
:jwt_auth_header: "Gitlab-Mailroom-Api-Request"
:jwt_issuer: "gitlab-mailroom"
:jwt_algorithm: "HS256"
:jwt_secret_path: "/etc/gitlab-secrets/mailroom/.gitlab_mailroom_secret"Edited by Quang-Minh Nguyen