Fix GitLab Duo chat session error in the Web IDE

Enrique Alcántararequested to merge
472789-fix-session-id-bug-in-duo-chat-and-the-web-ide into master

Issue: session#id errs due to its option being a hash ... (#472789 - closed)

What does this MR do and why?

It fixes a GitLab Duo chat session error that occurs when a session method assumes that the Web IDE uses a session cookie to authenticate HTTP requests to the GraphQL API, but the Web IDE is using an OAuth session token instead. In this scenario, accessing the session.id property results in an error because the underlying options property is not an instance of ActionDispatch::Request::Session::Options, it is a hash with a key value pair { skip: true }.

The fix checks if session.options is a hash and returns nil in this scenario.

Additional investigation

Why does this bug only occurs when the Web IDE Extensions Marketplace is disabled?

When the Extensions Marketplace is enabled, the GitLab Workflow VSCode Extension that contains GitLab Duo Chat run on a separate origin than the one used by the GitLab instance (i.e. ide.gitlab-cdn.net and gitlab.com). In this scenario, the session cookie attached to the GitLab instance's origin is not present in the HTTP Requests sent by Duo Chat therefore the only available authentication session is the one provided by the OAuth2 session token.

image.png

When the Extensions Marketplace is disabled, both extensions and the GitLab instance co-exist in the same domain. In this scenario, the session object is not nil. Also, session.options is not an instance of ActionDispatch::Request::Session::Options, it is a hash with a key value pair { skip: true }. My hypothesis is that OAuth2 session tokens take precedence over session cookies when processing the authentication of API requests. The GraphQLController uses a sessionless_sign_in method that passes the store: false option to Devise -> Warden which avoids serializing and persisting the session.

image.png

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
before_fix.mov after_fix.mov

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Set up AI gateway in your local environment.
  2. Disable the :web_ide_extensions_marketplace in your local environment: bin/rails c && Feature.disable(:web_ide_extensions_marketplace) .
  3. Say hi to GitLab Duo Chat. After the fix, you should receive a response back.
Edited by Enrique Alcántara

Merge request reports