To prevent an OAuth2 covert redirect vulnerability, this commit adds and
uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
following paths:
GitHub: /users/auth/-/import/github
Bitbucket: /users/auth/-/import/bitbucket
This allows admins to put a more restrictive callback URL in the OAuth2
configuration settings. Instead of https://example.com, admins can now use:
https://example.com/users/auth
It's possible but not trivial to change Devise and OmniAuth to use a
different prefix for callback URLs instead of /users/auth. For now,
aliasing the import URLs under the /users/auth namespace should suffice.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
Importing a project from GitHub for a project namespace that already exists
would show an unhelpful error, "An error occurred while importing project."
We now add the base message from Projects::CreateService when this fails.
Closes#47365
and request them each session. Pass these tokens to the project import data.
This prevents the need to encrypt these tokens and clear them in case they
expire or get revoked.
For example, if you deleted and re-created OAuth2 keys for Bitbucket, you would get
an Error 500 with no way to recover:
```
Started GET "/import/bitbucket/status" for x.x.x.x at 2015-08-07 05:24:10 +0000
Processing by Import::BitbucketController#status as HTML
Completed 500 Internal Server Error in 607ms (ActiveRecord: 2.3ms)
NameError (uninitialized constant Import::BitbucketController::Unauthorized):
app/controllers/import/bitbucket_controller.rb:77:in `rescue in go_to_bitbucket_for_permissions'
app/controllers/import/bitbucket_controller.rb:74:in `go_to_bitbucket_for_permissions'
app/controllers/import/bitbucket_controller.rb:86:in `bitbucket_unauthorized'
```
Closes#1871
GitLab Bot
Martin Wortschack
Stan Hu
gfyoung
Yorick Peterse
Tiago Botelho
Horatiu Eugen Vlad
Clement Ho
Valery Sizov
Douglas Barbosa Alexandre
Grzegorz Bizon
Valery Sizov
Douwe Maan
Jeroen van Baarsen