Fix deploy tokens erroneously triggering unique IP limits (!22445) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-fix-unique-ips-limiter into master Jan 04, 2020

Some users were complaining that when the user unique IP limiter was enabled, they would be banned for some unknown reason. AuthFinder.find_for_git_client can authenticate users from a multitude of tokens (CI, LFS, HTTP basic auth, etc.), but project deploy tokens are unique in that they aren't attributed to a specific user. As a result, if project deploy tokens were used, users that had the same database ID as a deploy token would erroneously be attributed to using the IP accessed by the token.

To fix this issue, we only call Gitlab::Auth::UniqueIpsLimiter if a user is returned from the authentication search. Project deploy tokens could be used from many different IPs, so it doesn't make sense to group them with user activity.

Possibly fixes #22854 (closed)

Edited Jan 04, 2020 by Stan Hu

Fix deploy tokens erroneously triggering unique IP limits

Merge request reports