Skip to content

Implement JWT authentication for writable endpoints

Chad requested to merge jwt-auth into main

Utilizes the JWKS endpoint from Gitlab to fetch the appropriate public key for decoding the payload.

Token is then verified against the path such that the request path begins with /v2/{project_path}. This means that Docker images that are subpaths of a given project would also be permitted (ie: a project of foo/bar could pubish images at foo/bar and foo/bar/baz but not say foo/derp)

  • endpoints without @jwt_required are unchanged
  • omitting the JWT yells at you with a 401 and "Missing Authorization Header"
  • providing a bogus JWT yells at you appropriately with a 422
  • Trying to operate on a repo not included in project_path responds with a 403

Bug: T323394

Edited by Chad

Merge request reports