Restrict CDot endpoint access to GitLab.com instances
Restrict CDot endpoint access to GitLab.com instances
Problem
Currently, CDot endpoints can be accessed from both GitLab.com and self-managed instances. This has led to issues where self-managed instances attempting to access CDot endpoints receive 401 unauthorized responses creating unnecessary load, as demonstrated in issue #573356 (closed).
Proposed Solution
Add access control to CDot endpoints by:
- Implementing an
allow_non_saas_requestsparameter or similar in theGitlab::SubscriptionPortal::Clientclass - Setting the parameter to
falseby default - Only enabling
allow_non_saas_requests=truefor specific pages that require CDot access from non-.com instances
Expected Behavior
- By default, CDot endpoints should only be accessible from GitLab.com instances
- Self-managed instances should be prevented from making unauthorized CDot requests
- Specific exceptions can be configured where necessary through the new parameter
Impact
This change will prevent unnecessary unauthorized requests from self-managed instances to CDot endpoints.
Description was generated using AI
Edited by 🤖 GitLab Bot 🤖