From e00b07b978a9fb4f368f69aab99cfd105ab5b6b3 Mon Sep 17 00:00:00 2001
From: James Edwards-Jones <jedwardsjones@gitlab.com>
Date: Sat, 20 Jul 2019 14:30:26 +0100
Subject: [PATCH] JwtController avoids activating session checks

This used without a session and issues a sessionless token, so we
should avoid causing access checks based on the session.
---
 app/controllers/jwt_controller.rb    | 1 +
 spec/requests/jwt_controller_spec.rb | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 5ecf4f114cf..da39d64c93d 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class JwtController < ApplicationController
+  skip_around_action :set_session_storage
   skip_before_action :authenticate_user!
   skip_before_action :verify_authenticity_token
   before_action :authenticate_project_or_user
diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb
index bba473f1c20..8b2c698fee1 100644
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -108,6 +108,14 @@ describe JwtController do
           end
         end
       end
+
+      it 'does not cause session based checks to be activated' do
+        expect(Gitlab::Session).not_to receive(:with_session)
+
+        get '/jwt/auth', params: parameters, headers: headers
+
+        expect(response).to have_gitlab_http_status(200)
+      end
     end
 
     context 'using invalid login' do
-- 
GitLab