Return 401 token invalid form graphql (!132149) · Merge requests · GitLab.org / GitLab

Lee Tickett requested to merge gitlab-community/gitlab:270055-graphql-401-on-invalid-auth into master Sep 19, 2023

What does this MR do and why?

Return 401 token invalid form graphql

We did not previously differentiate between no auth provided vs invalid auth. This introduces a check if some form of authentication token is present but not recognised.

Screenshots or screen recordings

# No auth:

lee@Lees-MacBook-Pro gitlab % curl http://gdk.test:3000/api/graphql \
  --header 'Content-Type: application/json' \
  --data '{ "query": "query { currentUser { username } }" }' -v                                
*   Trying 127.0.0.1:3000...
* Connected to gdk.test (127.0.0.1) port 3000 (#0)
> POST /api/graphql HTTP/1.1
> Host: gdk.test:3000
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type: application/json
> Content-Length: 49
> 
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate
< Content-Length: 29
< Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 http://127.0.0.1:9000/lfs-objects/; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com 'nonce-JQQzLZddbYYxHTiBLOx8ew=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
< Content-Type: application/json; charset=utf-8
< Etag: W/"f3951f0268200a69d1aa45c61283e7f5"
< Permissions-Policy: interest-cohort=()
< Referrer-Policy: strict-origin-when-cross-origin
< Vary: Accept, Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Gitlab-Meta: {"correlation_id":"01HAQ13VQ9BQSHYWAKDD64SBW2","version":"1"}
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: 01HAQ13VQ9BQSHYWAKDD64SBW2
< X-Runtime: 0.154514
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Date: Tue, 19 Sep 2023 15:32:05 GMT
< 
* Connection #0 to host gdk.test left intact
{"data":{"currentUser":null}}% 

# Valid auth:

lee@Lees-MacBook-Pro gitlab % curl http://gdk.test:3000/api/graphql \
  --header 'Content-Type: application/json' \
  --header "PRIVATE_TOKEN: glpat-2tJ7iuLd8B3QvFvKhTZf" \
  --data '{ "query": "query { currentUser { username } }" }' -v
*   Trying 127.0.0.1:3000...
* Connected to gdk.test (127.0.0.1) port 3000 (#0)
> POST /api/graphql HTTP/1.1
> Host: gdk.test:3000
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type: application/json
> PRIVATE_TOKEN: glpat-2tJ7iuLd8B3QvFvKhTZf
> Content-Length: 49
> 
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate
< Content-Length: 44
< Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 http://127.0.0.1:9000/lfs-objects/; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com 'nonce-lzefVtLjCsBrGiTRJZH6qQ=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
< Content-Type: application/json; charset=utf-8
< Etag: W/"57341db0704e500f374e4bf8d5302a47"
< Permissions-Policy: interest-cohort=()
< Referrer-Policy: strict-origin-when-cross-origin
< Vary: Accept, Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Gitlab-Meta: {"correlation_id":"01HAQ17FNFS6JTV7DVJNQBCZYY","version":"1"}
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: 01HAQ17FNFS6JTV7DVJNQBCZYY
< X-Runtime: 0.425283
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Date: Tue, 19 Sep 2023 15:34:04 GMT
< 
* Connection #0 to host gdk.test left intact
{"data":{"currentUser":{"username":"root"}}}%

# Invalid auth:

lee@Lees-MacBook-Pro gitlab % curl http://gdk.test:3000/api/graphql \
  --header 'Content-Type: application/json' \
  --header "PRIVATE-TOKEN: 1234" \
  --data '{ "query": "query { currentUser { username } }" }' -v
*   Trying 127.0.0.1:3000...
* Connected to gdk.test (127.0.0.1) port 3000 (#0)
> POST /api/graphql HTTP/1.1
> Host: gdk.test:3000
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type: application/json
> PRIVATE-TOKEN: 1234
> Content-Length: 49
> 
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-cache
< Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 http://127.0.0.1:9000/lfs-objects/; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com 'nonce-/Paxx/eNWOJF2lR9xg01TA=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:
< Content-Type: application/json; charset=utf-8
< Permissions-Policy: interest-cohort=()
< Referrer-Policy: strict-origin-when-cross-origin
< Vary: Accept, Origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Gitlab-Custom-Error: 1
< X-Gitlab-Meta: {"correlation_id":"01HAQ15FHQ18P9N2MHP3W1RV3F","version":"1"}
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: 01HAQ15FHQ18P9N2MHP3W1RV3F
< X-Runtime: 0.048306
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Date: Tue, 19 Sep 2023 15:32:58 GMT
< Content-Length: 40
< 
* Connection #0 to host gdk.test left intact
{"errors":[{"message":"Token invalid"}]}%

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #270055 (closed)

Return 401 token invalid form graphql

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports