Some fixes after rebase

app/controllers/application_controller.rb

@@ -99,36 +99,12 @@ class ApplicationController < ActionController::Base
     return try(:authenticated_user)
   end
-<<<<<<< HEAD
-  def authenticate_user_from_personal_access_token!
-    token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
-
-    return unless token.present?
-
-    user = User.find_by_personal_access_token(token)
-
-    sessionless_sign_in(user)
-  end
-
-  # This filter handles authentication for atom request with an rss_token
-  def authenticate_user_from_rss_token!
-    return unless request.format.atom?
-
-    token = params[:rss_token].presence
-
-    return unless token.present?
-
-    user = User.find_by_rss_token(token)
-
-    sessionless_sign_in(user)
-=======
   # This filter handles private tokens, personal access tokens, and atom
   # requests with rss tokens
   def authenticate_sessionless_user!
     user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user
     sessionless_sign_in(user) if user
->>>>>>> Add request throttles
   end
   def log_exception(exception)

lib/api/api_guard.rb

@@ -72,33 +72,16 @@ module API
         end
       end
-      def raise_unauthorized_error!
-        raise UnauthorizedError
-      end
-      # If token is presented and valid, then it sets @current_user.
-      #
-      # If the token does not have sufficient scopes to cover the requred scopes,
-      # then it raises InsufficientScopeError.
-      #
-      # If the token is expired, then it raises ExpiredError.
-      #
-      # If the token is revoked, then it raises RevokedError.
-      #
-      # If the token is not found (nil), then it returns nil
-      #
-      # Arguments:
-      #
-      #   scopes: (optional) scopes required for this guard.
-      #           Defaults to empty array.
-      def find_user_by_access_token(access_token)
-        scopes = scopes_registered_for_endpoint
-        # Expiration, revocation and scopes are verified in `find_user_by_access_token`
-        access_token = PersonalAccessToken.find_by(token: token)
-        raise UnauthorizedError unless access_token
-        access_token
+      private
+      def handle_return_value!(value, &block)
+        raise UnauthorizedError unless value
+        block_given? ? yield(value) : value
+      end
+      def private_token
+        params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence
       end
       # An array of scopes that were registered (using `allow_access_with_scope`)

lib/gitlab/auth/request_authenticator.rb

@@ -12,11 +12,11 @@ module Gitlab
       end
       def user
-        find_sessionless_user || find_session_user
+        find_sessionless_user || find_user_from_warden
       end
       def find_sessionless_user
-        find_user_by_private_token || find_user_by_rss_token || find_user_by_oauth_token
+        find_user_from_access_token || find_user_by_rss_token
       end
     end
   end

lib/gitlab/auth/user_auth_finders.rb

@@ -2,77 +2,67 @@ module Gitlab
   module Auth
     module UserAuthFinders
       # Check the Rails session for valid authentication details
-      def find_session_user
+      def find_user_from_warden
         request.env['warden']&.authenticate if verified_request?
       end
-      def find_user_by_private_token
-        token = private_token
-        return unless token.present?
-
-        user =
-          find_user_by_authentication_token(token) ||
-          find_user_by_personal_access_token(token)
-        raise_unauthorized_error! unless user
-        user
+      def find_user_by_rss_token
+        return unless request.format.atom?
+        token = request.params[:rss_token].presence
+        return unless token.present?
+        handle_return_value!(User.find_by_rss_token(token))
       end
-      def find_user_by_rss_token
-        return unless request.path.ends_with?('atom') || request.format.atom?
-        token = request.params[:rss_token].presence
-        return unless token.present?
-        user = User.find_by_rss_token(token)
-        raise_unauthorized_error! unless user
-        user
+      def find_user_from_access_token
+        return unless access_token
+        validate_access_token!
+        handle_return_value!(access_token&.user)
+      end
+      def validate_access_token!(scopes: [])
       end
-      def find_user_by_oauth_token
-        access_token = find_oauth_access_token
-        return unless access_token
-        find_user_by_access_token(access_token)
+      private
+      def handle_return_value!(value, &block)
+        return unless value
+        block_given? ? yield(value) : value
       end
-      private
+      def access_token
+        return @access_token if defined?(@access_token)
+
+        @access_token = find_oauth_access_token || find_personal_access_token
+      end
       def private_token
         request.params[:private_token].presence ||
           request.headers['PRIVATE-TOKEN'].presence
       end
-      def find_user_by_authentication_token(token_string)
-        User.find_by_authentication_token(token_string)
-      end
-
-      def find_user_by_personal_access_token(token_string)
-        access_token = PersonalAccessToken.find_by_token(token_string)
-        return unless access_token
-        find_user_by_access_token(access_token)
+      def find_personal_access_token
+        token = private_token.to_s
+        return unless token.present?
+        # Expiration, revocation and scopes are verified in `validate_access_token!`
+        handle_return_value!(PersonalAccessToken.find_by(token: token))
       end
       def find_oauth_access_token
-        return @oauth_access_token if defined?(@oauth_access_token)
-
         current_request = ensure_action_dispatch_request(request)
         token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
-        return @oauth_access_token = nil unless token
-
-        @oauth_access_token = OauthAccessToken.by_token(token)
-        raise_unauthorized_error! unless @oauth_access_token
-
-        @oauth_access_token.revoke_previous_refresh_token!
-        @oauth_access_token
-      end
-      def find_user_by_access_token(access_token)
-        access_token&.user
+        return unless token
+        # Expiration, revocation and scopes are verified in `validate_access_token!`
+        handle_return_value!(OauthAccessToken.by_token(token)) do |oauth_token|
+          oauth_token.revoke_previous_refresh_token!
+          oauth_token
+        end
       end
       # Check if the request is GET/HEAD, or if CSRF token is valid.
@@ -85,10 +75,6 @@ module Gitlab
         ActionDispatch::Request.new(request.env)
       end
-
-      def raise_unauthorized_error!
-        return nil
-      end
     end
   end
 end