-
Notifications
You must be signed in to change notification settings - Fork 952
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GetJobTokensJob should not include the private token in the request headers #1644
Comments
As a workaround I can do
But this heavily relies on the implementation detail that in |
I think you want to use c, err := gitlab.NewJobClient("")
if err {
//do what you want
}
opt := &gitlab.GetJobTokensJobOptions{JobToken: gitlab.String("job_token")}
job, resp, err := c.Jobs.GetJobTokensJob(opt)
... And I think you can even do this (I might be wrong though): c, err := gitlab.NewJobClient("the_token_youre_looking_for")
...
job, resp, err := c.Jobs.GetJobTokensJob(nil) Since |
What is the cost of generating a new job client for every such job-token? It feels a bit overhead to create a client for a single request and then dump it again, but if client creation is a cheap operation that could be an option too. |
@finkandreas I haven't tried it, but maybe initialize the |
Creating a new client isn't super expensive, but is also isn't cheap as it creates and allocates a new struct for every (currently 108) service. We could potentially add a |
@theoriginalstove You are right, I can create a @svanharmelen I think the expected behaviour is that any type of client "just works", as long as it is not documented otherwise. |
Yeah, well I guess that is quite dependent on what is documented by GitLab and by what actually works with the GitLab API (which isn't always that obvious). Feel free to open a PR if you think some additional comments on the different clients would be beneficial... |
For now I opened a ticket with gitlab, let's see what they have to say: https://gitlab.com/gitlab-org/gitlab/-/issues/391924 |
In a nutshell, with the header one gets
{"message":"404 Job Not Found"}
Reproducer: Get a valid job token, and test with curl
Interestingly MY_GITLAB_TOKEN would have access to the job that it wants to access, but apparently Gitlab does not like to mix the two tokens.
Would it be possible to discard the header
Private-Token
for this specific request?The text was updated successfully, but these errors were encountered: