github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-22 06:24:14 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Cannot access private repo release files through API using bearer token anymore #11025

New Issue
Closed
opened 2025-11-02 09:25:27 -06:00 by GiteaMirror · 14 comments
GiteaMirror commented 2025-11-02 09:25:27 -06:00
Owner
Copy Link

Originally created by @enz1ey on GitHub (Jun 14, 2023).

Description

Apparently an RC release was pushed to Docker instances using the "lates" tag, so my Gitea instance is now running 1.20.0rc and I cannot downgrade. Since updating, I am no longer able to download files over HTTPS using my token. I am attempting to access the file URL and I am getting 404 errors. If I make the repository public, I am able to download the files just fine.

This bearer token works when listing releases via the API, just not downloading them. Nothing else has changed in my instance.

Gitea Version

1.20.0+rc0-48-g3afc3e4a7

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker

Database

MySQL

Originally created by @enz1ey on GitHub (Jun 14, 2023). ### Description Apparently an RC release was pushed to Docker instances using the "lates" tag, so my Gitea instance is now running 1.20.0rc and I cannot downgrade. Since updating, I am no longer able to download files over HTTPS using my token. I am attempting to access the file URL and I am getting 404 errors. If I make the repository public, I am able to download the files just fine. This bearer token works when listing releases via the API, just not downloading them. Nothing else has changed in my instance. ### Gitea Version 1.20.0+rc0-48-g3afc3e4a7 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Docker ### Database MySQL
GiteaMirror added the type/bug label 2025-11-02 09:25:27 -06:00
GiteaMirror commented 2025-11-02 09:25:29 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jun 15, 2023):

What's your download url?

@lunny commented on GitHub (Jun 15, 2023): What's your download url?
GiteaMirror commented 2025-11-02 09:25:29 -06:00
Author
Owner
Copy Link

@enz1ey commented on GitHub (Jun 21, 2023):

What's your download url?

An example of a browser_download_url would be: https://git.my-domain.com/Owner/Repo/releases/download/20.1.34.78/FileName.exe

I am sending a GET request to this URL with a bearer token which is confirmed working elsewhere, as this is a private repository but I can still list releases and their assets.

I have also tested browsing to this exact URL inside an authenticated browser session, and I am able to download the file, so it's certainly not an issue with the URL.

@enz1ey commented on GitHub (Jun 21, 2023): > What's your download url? An example of a `browser_download_url` would be: _https://git.my-domain.com/Owner/Repo/releases/download/20.1.34.78/FileName.exe_ I am sending a GET request to this URL with a bearer token which is confirmed working elsewhere, as this is a private repository but I can still list releases and their assets. I have also tested browsing to this exact URL inside an authenticated browser session, and I am able to download the file, so it's certainly not an issue with the URL.
GiteaMirror commented 2025-11-02 09:25:29 -06:00
Author
Owner
Copy Link

@CMiksche commented on GitHub (Jun 28, 2023):

I have the same problem (with 1.20.0-rc2). I noticed it still works when a session is already open and the user authenticated....

@CMiksche commented on GitHub (Jun 28, 2023): I have the same problem (with 1.20.0-rc2). I noticed it still works when a session is already open and the user authenticated....
GiteaMirror commented 2025-11-02 09:25:29 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jun 29, 2023):

What's your download url?

An example of a browser_download_url would be: https://git.my-domain.com/Owner/Repo/releases/download/20.1.34.78/FileName.exe

I am sending a GET request to this URL with a bearer token which is confirmed working elsewhere, as this is a private repository but I can still list releases and their assets.

I have also tested browsing to this exact URL inside an authenticated browser session, and I am able to download the file, so it's certainly not an issue with the URL.

There is no this route like releases/download.

@lunny commented on GitHub (Jun 29, 2023): > > What's your download url? > > An example of a `browser_download_url` would be: _https://git.my-domain.com/Owner/Repo/releases/download/20.1.34.78/FileName.exe_ > > I am sending a GET request to this URL with a bearer token which is confirmed working elsewhere, as this is a private repository but I can still list releases and their assets. > > I have also tested browsing to this exact URL inside an authenticated browser session, and I am able to download the file, so it's certainly not an issue with the URL. ~There is no this route like `releases/download`.~
GiteaMirror commented 2025-11-02 09:25:29 -06:00
Author
Owner
Copy Link

@CMiksche commented on GitHub (Jun 29, 2023):

There is no this route like releases/download.

There is. See https://gitea.com/gitea/act_runner/releases/download/v0.2.0/act_runner-0.2.0-darwin-amd64

@CMiksche commented on GitHub (Jun 29, 2023): > There is no this route like `releases/download`. There is. See https://gitea.com/gitea/act_runner/releases/download/v0.2.0/act_runner-0.2.0-darwin-amd64
GiteaMirror commented 2025-11-02 09:25:30 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jun 29, 2023):

Yes, I found the problem. I just search API routes and found the attachments download URL in fact point to web routes. Since web routes have removed support token authentication. I think to resolve the bug, we have two options.

  1. create a new download route in API routes and return that URLs in API releases list.
  2. the web route download supports token authentication.
@lunny commented on GitHub (Jun 29, 2023): Yes, I found the problem. I just search API routes and found the attachments download URL in fact point to web routes. Since web routes have removed support token authentication. I think to resolve the bug, we have two options. 1) create a new download route in API routes and return that URLs in API releases list. 2) the web route download supports token authentication.
GiteaMirror commented 2025-11-02 09:25:30 -06:00
Author
Owner
Copy Link

@CMiksche commented on GitHub (Jun 29, 2023):

I think to resolve the bug, we have two options.

While 2. would probably be easier, I guess there was some good reason why token authentication was removed from the web routes. If we add token auth there again and somebody makes changes in the web routes, they probably don't think that this will affect the API routes.

So I think 1. is the better way because this is in line with the architecture of Gitea.

@CMiksche commented on GitHub (Jun 29, 2023): > I think to resolve the bug, we have two options. While 2. would probably be easier, I guess there was some good reason why token authentication was removed from the web routes. If we add token auth there again and somebody makes changes in the web routes, they probably don't think that this will affect the API routes. So I think 1. is the better way because this is in line with the architecture of Gitea.
GiteaMirror commented 2025-11-02 09:25:30 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jul 3, 2023):

We can implement a new API like https://docs.github.com/en/rest/releases/assets?apiVersion=2022-11-28 and change the release download url to the new URL.
The API has been implemented in https://github.com/go-gitea/gitea/blob/main/routers/api/v1/repo/release_attachment.go#L21, so we just need to return the correct asset URL from API requests.

@lunny commented on GitHub (Jul 3, 2023): ~We can implement a new API like https://docs.github.com/en/rest/releases/assets?apiVersion=2022-11-28 and change the release download url to the new URL.~ The API has been implemented in https://github.com/go-gitea/gitea/blob/main/routers/api/v1/repo/release_attachment.go#L21, so we just need to return the correct asset URL from API requests.
GiteaMirror commented 2025-11-02 09:25:30 -06:00
Author
Owner
Copy Link

@CMiksche commented on GitHub (Jul 18, 2023):

I just wanted to inform that the issue still persists with the stable version 1.20...

@CMiksche commented on GitHub (Jul 18, 2023): I just wanted to inform that the issue still persists with the stable version 1.20...
GiteaMirror commented 2025-11-02 09:25:30 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jul 19, 2023):

https://gitea.com/api/v1/repos/gitea/act_runner/releases

@lunny commented on GitHub (Jul 19, 2023): https://gitea.com/api/v1/repos/gitea/act_runner/releases
GiteaMirror commented 2025-11-02 09:25:31 -06:00
Author
Owner
Copy Link

@kirbylink commented on GitHub (Jul 25, 2023):

I also noticed the bug in my local Gitea (version 1.20.1).
The general API call with my applications and an API token works.
Only the download still fails with 404.
Current version is fetched via the API and the browserDownloadUrl is called with the API token.
If I call up the URL in the browser with the user logged in, the download works.

@kirbylink commented on GitHub (Jul 25, 2023): I also noticed the bug in my local Gitea (version 1.20.1). The general API call with my applications and an API token works. Only the download still fails with 404. Current version is fetched via the API and the browserDownloadUrl is called with the API token. If I call up the URL in the browser with the user logged in, the download works.
GiteaMirror commented 2025-11-02 09:25:31 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jul 27, 2023):

#25639 missed a change, And I think #26175 #26430 should fix it.

@lunny commented on GitHub (Jul 27, 2023): #25639 missed a change, And I think ~#26175~ #26430 should fix it.
GiteaMirror commented 2025-11-02 09:25:32 -06:00
Author
Owner
Copy Link

@xiaoxinpro commented on GitHub (Sep 8, 2023):

The issue persists in the latest 1.20.4 release

I wonder if this will be fixed

Because I am waiting for this issue to be fixed before I can upgrade to 1.20.x, otherwise I will be stuck with 1.19.3

@xiaoxinpro commented on GitHub (Sep 8, 2023): The issue persists in the latest 1.20.4 release I wonder if this will be fixed Because I am waiting for this issue to be fixed before I can upgrade to 1.20.x, otherwise I will be stuck with 1.19.3
GiteaMirror commented 2025-11-02 09:25:32 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Sep 8, 2023):

Sorry forgot my PR #26430

@lunny commented on GitHub (Sep 8, 2023): Sorry forgot my PR #26430
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11025
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?