Prevent invalid tokens from falling back to Git password auth
What does this MR do and why?
Prevent invalid tokens from falling back to Git password auth
When authenticating with Git over HTTPS, authentication falls through a number of mechanisms since Git password may be a token, local database password, LDAP password and more. This change ensures that any recognized token type does not fallback to database or LDAP authentication, for example, when the token is revoked or expired.
This is important because otherwise if a user's personal access token expires then an integration could continuously try to authenticate with GitLab and cause the user's GitLab or LDAP account to become blocked.
Risks
It is theoretically possible that we could have users with passwords that begin with the same characters as the prefixes to our tokens. I believe it would need to include the dash, such as glpat- to match. It's probably not likely but possible. With this change, any such user would be unable to authenticate with Git over HTTPS (or potentially other sessionless authentication that uses the same auth path).
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.