Download release asset using api key no longer working

[johanvdw]

Description

We are using the api to find out which releases exist for a specific repository. Until 1.19.3 we were able to download those assets as well when passing the api key in the header to the browser_download_url which is part of the listing at
https://git.fluves.net/api/swagger#/repository/repoGetReleaseByTag

This no longer works in 1.20.1 (not checked versions between 1.19.3 and 1.20.1).

The headers we pass are:

headers = {
    "Authorization": f"token {gitea_token}",
    "Content-Type": "application/json",
    "Accept": "application/json",
}

this works for the api, but no longer for the download. The URL given works if I use it from a browser where I logged in manually.

Gitea Version

1.20.1

Can you reproduce the bug on the Gitea demo site?

Yes:

Building an example at try.gitea.org

I generated a new token with read:package and read:repository rights.
c44ec64232370bc06c9f4aa8c2c67e0121ccc72b
(nothing valuable is in the repo, it is safe to share this).

eg if I go to:
https://try.gitea.io/api/v1/repos/johanvdw/bug26165/releases/
and then try to open
https://try.gitea.io/johanvdw/bug26165/releases/download/0.1/README.txt

curl -X 'GET' \
  'https://try.gitea.io/api/v1/repos/johanvdw/bug26165/releases/tags/0.1?token=c44ec64232370bc06c9f4aa8c2c67e0121ccc72b' \
  -H 'accept: application/json'

response:

{
  "id": 10386849,
  "tag_name": "0.1",
  "target_commitish": "main",
  "name": "test",
  "body": "test",
  "url": "https://try.gitea.io/api/v1/repos/johanvdw/bug26165/releases/10386849",
  "html_url": "https://try.gitea.io/johanvdw/bug26165/releases/tag/0.1",
  "tarball_url": "https://try.gitea.io/johanvdw/bug26165/archive/0.1.tar.gz",
  "zipball_url": "https://try.gitea.io/johanvdw/bug26165/archive/0.1.zip",
  "draft": false,
  "prerelease": false,
  "created_at": "2023-07-26T13:02:36Z",
  "published_at": "2023-07-26T13:02:36Z",
  "author": {
...
  },
  "assets": [
    {
      "id": 3458,
      "name": "README.txt",
      "size": 53,
      "download_count": 1,
      "created_at": "2023-07-26T13:03:22Z",
      "uuid": "fe39078d-5858-4afb-a71f-115a313f3cb9",
      "browser_download_url": "https://try.gitea.io/johanvdw/bug26165/releases/download/0.1/README.txt"
    }
  ]
}

will give me a browser_download_url in assets, but I'm not able to use that to download the file.

curl -X 'GET'  https://try.gitea.io/johanvdw/bug26165/releases/download/0.1/README.txt
Not found.

similar results when specifying a token (the first variant was definitely working in 1.19).

curl -X 'GET'  https://try.gitea.io/johanvdw/bug26165/releases/download/0.1/README.txt -H 'Authorization: token c44ec64232370bc06c9f4aa8c2c67e0121ccc72b'
curl -X 'GET'  https://try.gitea.io/johanvdw/bug26165/releases/download/0.1/README.txt?token=c44ec64232370bc06c9f4aa8c2c67e0121ccc72b

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

docker.

Database

PostgreSQL

[johanvdw]

Even more interestingly:

curl -X 'GET' https://try.gitea.io/johanvdw/bug26165/releases/download/0.1/README.txt -u johanvdw:PASSWORD
You should be able to fetch this file using a token.

[JakobDev]

The download route was changed in #23891, but according to

gitea/routers/web/web.go

Lines 868 to 869 in 79995a8

	// ***** Release Attachment Download without Signin
	m.Get("/{username}/{reponame}/releases/download/{vTag}/{fileName}", ignSignIn, context.RepoAssignment, repo.MustBeNotEmpty, repo.RedirectDownload)

the new route should also be available without sign in

[johanvdw]

Thanks for your quick reply. Our repositories are private anyway, so we need some kind of signin to download the files.

[JakobDev]

The /attachments/<uuid>, which was used before, is always public. This is not a problem, because you can't predict the URL. A UUID which you don't is as safe as a Password which you don't know.

Release Assets are technkijcaly Attachments. YOu can still download the Asset using the /attachments/<uuid> route, if you know the UUID.

The /attachments/<uuid> and the /releases/download/ route are handled by the Web Router and not the API router. Both use different Authentication, so it is not possible (without major rewrite) to allow downloads from the /releases/download/ route with a API Key.

I guess the easiest solution here is to add a new attachments_download_url to the API response which gives you the /attachments/<uuid> URL, that you can use without authentication. I can take a look at this tomorrow.

[johanvdw]

The uuid is given in the api response, so if I understand you correctly I should be able to get

• https://try.gitea.io/johanvdw/bug26165/attachments/fe39078d-5858-4afb-a71f-115a313f3cb9
  or
• https://try.gitea.io/attachments/fe39078d-5858-4afb-a71f-115a313f3cb9/
  without logging in. That does not work (and correctly so I think, I disagree with you on the safety of uuid, it can not be revoked and might be shared).

Also note the error I get:

johan@x1:/tmp$  curl -X 'GET' https://try.gitea.io/attachments/fe39078d-5858-4afb-a71f-115a313f3cb9/ -H 'Authorization: token c44ec64232370bc06c9f4aa8c2c67e0121ccc72b'
You should be able to fetch this file using a token.
johan@x1:/tmp$  curl -X 'GET' https://try.gitea.io/attachments/fe39078d-5858-4afb-a71f-115a313f3cb9?token=c44ec64232370bc06c9f4aa8c2c67e0121ccc72b
You should be able to fetch this file using a token.

[johanvdw]

Okay, now this was interesing - the attachment road does actually work with the token, the "error"(You should be able to fetch this file using a token) . I had is just is the content of the README.md file which I uploaded. Also explains why I could not grep that error anywhere in the code.

So: downloading using the attachment path works with token and basic auth. For the newly nicer path basic auth works but token does not. I think the latter is inconsistent, but in the mean time, we can update our script to use the uuid method for a while.

[CMiksche]

FYI: This bug was already discussed in #25257