docker login seems to succeed with basic auth even when 2FA is enabled #11924

Closed
opened 2025-11-02 09:51:56 -06:00 by GiteaMirror · 3 comments
Owner

Originally created by @1e100 on GitHub (Oct 28, 2023).

Description

docker login seems to be succeeding with "basic" auth even though 2FA is enabled on the account. I was a bit surprised by that. Notably, this also reproduces on the Gitea demo site.

I then started looking into the documentation on how to create a PAT here: https://docs.gitea.com/development/api-usage#authentication. This does not seem to work either. The OTP-less first suggestion results in {"message":"Only signed in user is allowed to call APIs."}, the one with OTP results in [] (empty JSON list).

Finally, going into the UI as the instructions suggest is not helpful either, since it is not at all clear what permissions such a PAT would need for read-only and read-write access.

So there seem to be several issues here:

  1. docker login should not succeed if account has 2FA enabled on it
  2. Instructions for how to create a PAT should probably be updated
  3. Documentation is needed for the minimal permission set required to only pull, and to pull+push to the Docker registry.

Gitea Version

1.20.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker compose using your downloads. But this reproduces on try.gitea.io as well.

Database

None

Originally created by @1e100 on GitHub (Oct 28, 2023). ### Description `docker login` seems to be succeeding with "basic" auth even though 2FA is enabled on the account. I was a bit surprised by that. Notably, this also reproduces on the Gitea demo site. I then started looking into the documentation on how to create a PAT here: https://docs.gitea.com/development/api-usage#authentication. This does not seem to work either. The OTP-less first suggestion results in `{"message":"Only signed in user is allowed to call APIs."}`, the one with OTP results in `[]` (empty JSON list). Finally, going into the UI as the instructions suggest is not helpful either, since it is not at all clear what permissions such a PAT would need for read-only and read-write access. So there seem to be several issues here: 1. `docker login` should not succeed if account has 2FA enabled on it 2. Instructions for how to create a PAT should probably be updated 3. Documentation is needed for the minimal permission set required to only pull, and to pull+push to the Docker registry. ### Gitea Version 1.20.3 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Docker compose using your downloads. But this reproduces on try.gitea.io as well. ### Database None
GiteaMirror added the type/bug label 2025-11-02 09:51:56 -06:00
Author
Owner

@KN4CK3R commented on GitHub (Oct 31, 2023):

How do you use docker login? With a PAT or user/password. The container code does not verify auth by itself but uses the methods all other api endpoints use.

@KN4CK3R commented on GitHub (Oct 31, 2023): How do you use `docker login`? With a PAT or user/password. The container code does not verify auth by itself but uses the methods all other api endpoints use.
Author
Owner

@1e100 commented on GitHub (Oct 31, 2023):

Then all other APIs are also similarly impacted. Enabling 2FA should mean that only PAT is available for auth. And there should be documentation on how to issue the PAT so that it's not overly broad in its permissions, at least for the common use cases such as the Docker registry pull/push.

@1e100 commented on GitHub (Oct 31, 2023): Then all other APIs are also similarly impacted. Enabling 2FA should mean that only PAT is available for auth. And there should be documentation on how to issue the PAT so that it's not overly broad in its permissions, at least for the common use cases such as the Docker registry pull/push.
Author
Owner

@1e100 commented on GitHub (Oct 31, 2023):

IOW a login/password is like a PAT that has every possible permission for that user and cannot be restricted. That is problematic IMO

@1e100 commented on GitHub (Oct 31, 2023): IOW a login/password is like a PAT that has every possible permission for that user and cannot be restricted. That is problematic IMO
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11924