Properly reply when "go get" gets a user that needs a 2factor authentication
Summary
- The Go middleware may authenticate the user.
- During this authentication, a
Gitlab::Auth::MissingPersonalAccessTokenError
can be thrown. - This error is not handled by the middleware, which ultimately causes a
500 Internal Server Error
response.
Steps to reproduce
$ go get
with a user where the 2-factor authentication is enabled.
Note: From trying to reproduce the issue, the error only happens if when sending the password, the GitLab account password is used instead of a personal access token.
What is the current bug behavior?
Return a 500 Internal Server Error
.
What is the expected correct behavior?
Return a 401 Unauthorized
.
Relevant logs and/or screenshots
- https://log.gprd.gitlab.net/goto/e44beceb2ec218e270f1e3a3ba13ceda
- https://sentry.gitlab.net/gitlab/gitlabcom/issues/2090528/
- Production incident: gitlab-com/gl-infra/production#3174 (closed)
Possible fixes
Return a 401 Unauthorized
on Gitlab::Auth::MissingPersonalAccessTokenError
in the Go proxy middleware.
Edited by Hugo Ortiz