Job-Token authentication should be allowed at core tier
Problem
It seems there is an inconsistency in Job-Token authentication mechanism. Look at the following facts:
- We define
#find_user_from_job_token
in EE directory, which means it's proprietary code. According to the doc, job-token authentication is available at EEP tier. - In Job Artifact API, we intend to allow Job-Token authentication even if it's implemented at core tier. With the above fact, I assume this job-token authentication is currently broken at core tier (I don't see any tests for this API)
Further more, we want to allow Job-Token authentication in Release API, which is available at core tier. Therefore, the current implementation needs to be adjusted.
Proposal
Given Job-Token authentication itself is not allowed for any endpoints by default (in other word, we need to explicitly specify which endpoint can accept the job-token header), we can safely move the #find_user_from_job_token
into core level. This fixes the above problems on Job Artifact API and Release API.
We should also fix the doc as it's misleading that we don't allow Job-Token in any API even if user has EEP license.