1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
# frozen_string_literal: true
module API
module Internal
class Workhorse < ::API::Base
feature_category :not_owned # rubocop:todo Gitlab/AvoidFeatureCategoryNotOwned
before do
verify_workhorse_api!
content_type Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE
end
helpers do
def request_authenticated?
authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
return true if authenticator.find_authenticated_requester([:api])
# Look up user from warden, ignoring the absence of a CSRF token. For
# web users the CSRF token can be in the POST form data but Workhorse
# does not propagate the form data to us.
!!request.env['warden']&.authenticate
end
end
namespace 'internal' do
namespace 'workhorse' do
post 'authorize_upload' do
unauthorized! unless request_authenticated?
status 200
{ TempPath: File.join(::Gitlab.config.uploads.storage_path, 'uploads/tmp') }
end
end
end
end
end
end
|
