2 files changed, 10 insertions, 3 deletions

diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb
index 69a5340e38d..bba7e2cbb3c 100644
--- a/lib/gitlab/auth/user_auth_finders.rb
+++ b/lib/gitlab/auth/user_auth_finders.rb
@@ -102,7 +102,8 @@ module Gitlab
         token = parsed_oauth_token
         return unless token
 
-        return if oauth_compliant_personal_access_token?(token)
+        # PATs with OAuth headers are not handled by OauthAccessToken
+        return if matches_personal_access_token_length?(token)
 
         # Expiration, revocation and scopes are verified in `validate_access_token!`
         oauth_token = OauthAccessToken.by_token(token)
@@ -116,7 +117,7 @@ module Gitlab
         Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
       end
 
-      def oauth_compliant_personal_access_token?(token)
+      def matches_personal_access_token_length?(token)
         token.length == PersonalAccessToken::TOKEN_LENGTH
       end
 
diff --git a/spec/lib/gitlab/auth/user_auth_finders_spec.rb b/spec/lib/gitlab/auth/user_auth_finders_spec.rb
index 3636ecbd45c..4751f880cee 100644
--- a/spec/lib/gitlab/auth/user_auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/user_auth_finders_spec.rb
@@ -139,12 +139,18 @@ describe Gitlab::Auth::UserAuthFinders do
       end
     end
 
-    context 'when token is given in OAuth format' do
+    context 'with OAuth headers' do
       it 'returns user' do
         env['HTTP_AUTHORIZATION'] = "Bearer #{personal_access_token.token}"
 
         expect(find_user_from_access_token).to eq user
       end
+
+      it 'returns exception if invalid personal_access_token' do
+        env['HTTP_AUTHORIZATION'] = 'Bearer invalid_20byte_token'
+
+        expect { find_personal_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
     end
   end