Set shorter TTL for all unauthenticated requests
GitLab 11.2 limited the time-to-live (TTL) of unauthenticated sessions
via !6586 (merged) using
before_action
in ApplicationController
. However, this broke OAuth2
logins, which set the current_user
after a login is successful, so
we moved it to an after_action
in
gitlab-foss!21144 (merged). However,
after_action
isn't called if a exception is raised in the request
cycle. Thus, in some situations, TTLs weren't always being set to a
short value.
This commit adds the TTL limiting to the Devise Failure App (https://github.com/plataformatec/devise/blob/master/lib/devise/failure_app.rb), which is run anytime the user is redirected to the sign-in page.
Relates to https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/8247
Edited by Stan Hu