Do not regenerate the `lfs_token` every time `git-lfs-authenticate` is called (!6551) · Merge requests · GitLab.org / GitLab FOSS

Patricio Cano requested to merge lfs-ssh-authorization-fix into master Sep 27, 2016

What does this MR do?

Do not regenerate the lfs_token every time git-lfs-authenticate is called, instead return the saved token if one is present.

This was causing a lot of 401s, leading to 403s, as state in #22527 (closed)

As it turns out, when pushing a lot of LFS objects, the LFS client was calling git-lfs-authenticate in the middle of the request again. This caused the lfs_token to be regenerated. The problem lies in that the LFS client was not aware of this change, and was still using the old token. This caused all subsequent requests to fail with a 401 error.

Since HTTP Auth is protected by Rack Attack, this 401s where immediately flagged and resulted in the IP of the user being banned.

With this change, GitLab returns the value stored in Redis, if one is present, thus if the LFS client calls git-lfs-authenticate again during the request, the auth header will remain unchanged, allowing all subsequent requests to continue without issues.

What are the relevant issue numbers?

Fixes #22527 (closed)

cc @SeanPackham @jacobvosmaer-gitlab

Admin message

Admin message

Do not regenerate the `lfs_token` every time `git-lfs-authenticate` is called

What does this MR do?

What are the relevant issue numbers?

Merge request reports