Avoid redirect loop even with forced token authentication
Avoid redirect loop even with forced token authentication via the following,
-
?access_token=xxx
query parameter -
Authorization: Bearer xxx
header
Real world example: If you are using the desktop app, we force feed the token via the Authorization: Bearer xxx
header.
But if that token is invalid or revoked, it will result in a infinite redirect loop (ends in a browser too_many_redirects).
With these changes, we will now redirect you back to /login
, /login/token-revoked
appropriately and not try to redirect again even if you have a invalid token present.
Previous MR for revoking tokens: https://gitlab.com/gitlab-org/gitter/webapp/merge_requests/1071
Todo
-
Add/run tests- Will look to add an end-to-end test after we get e2e Selenium tests going
Edited by Eric Eastwood