Improvements to authentication with a personal access token
What does this MR do?
Makes two improvements to the authentication logic when using access tokens:
- The current logic ignores a login (username) value when passed in with the token. The proposed change ensures the login value, when provided, matches the user associated with the provided token.
- The current logic accepts a personal access token in lieu of a password. This requires an awkward and likely unexpected repo URL format of https://:personal_access_token@gitlab.com/owner/repo. This is the opposite of the format supported by GitHub, which accepts the personal access token in lieu of the username. The proposed change would allow the personal access token to be accepted in lieu of the username or the password.
Are there points in the code the reviewer needs to double check?
Auth changes are always worthy of a double-check!
Why was this MR needed?
We implemented our own version of impersonation tokens in our GitLab fork, and we accepted this token as a username. The change to accept it as a password requires adoption by our users, and I feel the better solution is for GitLab to accept it as a username.
Screenshots (if relevant)
N/A
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added - Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Branch has no merge conflicts with master
(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
N/A