Cannot access private repo release files through API using bearer token anymore

[enz1ey]

Description

Apparently an RC release was pushed to Docker instances using the "lates" tag, so my Gitea instance is now running 1.20.0rc and I cannot downgrade. Since updating, I am no longer able to download files over HTTPS using my token. I am attempting to access the file URL and I am getting 404 errors. If I make the repository public, I am able to download the files just fine.

This bearer token works when listing releases via the API, just not downloading them. Nothing else has changed in my instance.

Gitea Version

1.20.0+rc0-48-g3afc3e4a7

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker

Database

MySQL

[lunny]

What's your download url?

[enz1ey]

What's your download url?

An example of a browser_download_url would be: https://git.my-domain.com/Owner/Repo/releases/download/20.1.34.78/FileName.exe

I am sending a GET request to this URL with a bearer token which is confirmed working elsewhere, as this is a private repository but I can still list releases and their assets.

I have also tested browsing to this exact URL inside an authenticated browser session, and I am able to download the file, so it's certainly not an issue with the URL.

[CMiksche]

I have the same problem (with 1.20.0-rc2). I noticed it still works when a session is already open and the user authenticated....

[lunny]

What's your download url?

An example of a browser_download_url would be: https://git.my-domain.com/Owner/Repo/releases/download/20.1.34.78/FileName.exe

I am sending a GET request to this URL with a bearer token which is confirmed working elsewhere, as this is a private repository but I can still list releases and their assets.

I have also tested browsing to this exact URL inside an authenticated browser session, and I am able to download the file, so it's certainly not an issue with the URL.

There is no this route like releases/download.

[CMiksche]

There is no this route like releases/download.

There is. See https://gitea.com/gitea/act_runner/releases/download/v0.2.0/act_runner-0.2.0-darwin-amd64

[lunny]

Yes, I found the problem. I just search API routes and found the attachments download URL in fact point to web routes. Since web routes have removed support token authentication. I think to resolve the bug, we have two options.

1. create a new download route in API routes and return that URLs in API releases list.
2. the web route download supports token authentication.

[CMiksche]

I think to resolve the bug, we have two options.

While 2. would probably be easier, I guess there was some good reason why token authentication was removed from the web routes. If we add token auth there again and somebody makes changes in the web routes, they probably don't think that this will affect the API routes.

So I think 1. is the better way because this is in line with the architecture of Gitea.

[lunny]

We can implement a new API like https://docs.github.com/en/rest/releases/assets?apiVersion=2022-11-28 and change the release download url to the new URL.
The API has been implemented in https://github.com/go-gitea/gitea/blob/main/routers/api/v1/repo/release_attachment.go#L21, so we just need to return the correct asset URL from API requests.

[CMiksche]

I just wanted to inform that the issue still persists with the stable version 1.20...

[lunny]

https://gitea.com/api/v1/repos/gitea/act_runner/releases

[kirbylink]

I also noticed the bug in my local Gitea (version 1.20.1).
The general API call with my applications and an API token works.
Only the download still fails with 404.
Current version is fetched via the API and the browserDownloadUrl is called with the API token.
If I call up the URL in the browser with the user logged in, the download works.

[lunny]

#25639 missed a change, And I think #26175 #26430 should fix it.

[xiaoxinpro]

The issue persists in the latest 1.20.4 release

I wonder if this will be fixed

Because I am waiting for this issue to be fixed before I can upgrade to 1.20.x, otherwise I will be stuck with 1.19.3

[lunny]

Sorry forgot my PR #26430