Prevent unnecessary sessions in API requests
What does this MR do and why?
Avoid setting unnecessary session values when doing the admin_mode?
check. This also prevents creation of session records for API requests
when admin mode is enabled.
Related to #437145 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Run
gdk redis-cli monitor | grep "session:gitlab"
to see sessions being saved to Redis - Enable admin mode: https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#enable-admin-mode-for-your-instance
- Create a personal access token for an admin user
- Run
curl http://localhost:3000/api/v4/version --header "PRIVATE-TOKEN: <ADMIN_TOKEN>"
Before this change, you will see something like:
"setex" "session:gitlab:2::f08271e97a86989c0a6e399aa7fed48b72a48a646a1b6d2f1d2b832a197a5735" "604800" "\x04\b{\x06I\"\x16current_user_mode\x06:\x06EF{\x00"
With this change, there would be no session being saved for API requests.
This also happens with any other API request. This is due to the Gitlab::Auth::CurrentUserMode.new(user).admin_mode?
check which ends up calling current_session_data[ADMIN_MODE_START_TIME_KEY]
to check the value in the session.
Edited by Heinrich Lee Yu