Prevent unnecessary sessions in API requests (!141010) · Merge requests · GitLab.org / GitLab

Heinrich Lee Yu requested to merge prevent-unnecessary-sessions-when-admin-mode-enabled into master Jan 04, 2024

What does this MR do and why?

Avoid setting unnecessary session values when doing the admin_mode? check. This also prevents creation of session records for API requests when admin mode is enabled.

Related to #437145 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Run gdk redis-cli monitor | grep "session:gitlab" to see sessions being saved to Redis
Enable admin mode: https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#enable-admin-mode-for-your-instance
Create a personal access token for an admin user
Run curl http://localhost:3000/api/v4/version --header "PRIVATE-TOKEN: <ADMIN_TOKEN>"

Before this change, you will see something like:

"setex" "session:gitlab:2::f08271e97a86989c0a6e399aa7fed48b72a48a646a1b6d2f1d2b832a197a5735" "604800" "\x04\b{\x06I\"\x16current_user_mode\x06:\x06EF{\x00"

With this change, there would be no session being saved for API requests.

This also happens with any other API request. This is due to the Gitlab::Auth::CurrentUserMode.new(user).admin_mode? check which ends up calling current_session_data[ADMIN_MODE_START_TIME_KEY] to check the value in the session.

Edited Jan 04, 2024 by Heinrich Lee Yu

Prevent unnecessary sessions in API requests

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports