Avoid redirect loop even with forced token authentication (!1132) · Merge requests · gitter / webapp · GitLab

This is an archived project. Repository and other project resources are read-only.

Eric Eastwood requested to merge avoid-redirect-loop-on-forced-token into develop Apr 27, 2018

Avoid redirect loop even with forced token authentication via the following,

?access_token=xxx query parameter
Authorization: Bearer xxx header

Real world example: If you are using the desktop app, we force feed the token via the Authorization: Bearer xxx header. But if that token is invalid or revoked, it will result in a infinite redirect loop (ends in a browser too_many_redirects).

With these changes, we will now redirect you back to /login, /login/token-revoked appropriately and not try to redirect again even if you have a invalid token present.

Previous MR for revoking tokens: https://gitlab.com/gitlab-org/gitter/webapp/merge_requests/1071

Todo

~~Add~~/run tests
- Will look to add an end-to-end test after we get e2e Selenium tests going

Edited May 04, 2018 by Eric Eastwood