Skip CSRF protection on Workhorse internal API (!89256) · Merge requests · GitLab.org / GitLab

Jacob Vosmaer requested to merge jv-workhorse-api-skip-csrf into master Jun 03, 2022

Out of necessity, we skip CSRF protection on Workhorse /authorize pre-authorization subrequests. This is because the CSRF token often cannot be propagated to the subrequest. When we added the new /api/v4/internal/workhorse/authorize_upload endpoint, we forgot to disable CSRF protection on it. This MR fixes that.

While we are here, we also improve Workhorse logging of failed internal API calls.

Fixes gitlab-com/gl-infra/scalability#1755 (closed).

Edited Jun 03, 2022 by Jacob Vosmaer

Skip CSRF protection on Workhorse internal API

Merge request reports