Skip to content

Disable IAT verification by default

Stan Hu requested to merge sh-disable-verify-iat-default into master

What does this MR do and why?

!117468 (merged) in GitLab 15.11 updated the ruby-jwt gem to v2.5.0. In v2.2.0, ruby-jwt removed the iat_leeway parameter (https://github.com/jwt/ruby-jwt/pull/274).

As a result, if a gitlab-shell host creates a JWT token with an issued-at (IAT) claim that is slightly behind the host handling API the request, users will receive a 401 error.

Disable this IAT verification by default since it's not serving a useful purpose, since expiration times are already validated. We already made a similar change in Geo.

Relates to #417543 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports