Add JWT token to GitLab Rails request (!596) · Merge requests · GitLab.org / gitlab-shell

Igor Drozdov requested to merge id-gitlabnet-jwt into main Apr 13, 2022

What does this MR do and why?

It adds JWT token to Gitlab Rails API request. It is passed as a Gitlab-Shell-Api-Request header and uses the same shared secret in order to sign the token.

How it works now:

Gitlab Shell and Gitlab Rails have a pre-shared secret key
This secret (base64 encoded) is sent from Gitlab Shell to Gitlab Rails on every request in order to authenticate the request
If the secret is leaked while in transit, an attacker can perform unlimited number of requests

Our plan:

Gitlab Shell and Gitlab Rails have a pre-shared secret key
This secret is used to sign payload to send it as JWT token from Gitlab Shell to Gitlab Rails on every request in order to authenticate the request

This merge request adds JWT token as Gitlab-Shell-Api-Request, but also keeps sending shared secret until GitLab Rails logic that processes Gitlab-Shell-Api-Request is implemented and works as expected

Edited Apr 13, 2022 by Igor Drozdov

Add JWT token to GitLab Rails request

What does this MR do and why?

Merge request reports