github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-11 17:46:29 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Subscription API Routes Broken #12321

New Issue
Closed
opened 2025-11-02 10:05:31 -06:00 by GiteaMirror · 9 comments
GiteaMirror commented 2025-11-02 10:05:31 -06:00
Owner
Copy Link

Originally created by @kdumontnu on GitHub (Jan 11, 2024).

Description

We're trying to write a script to unsubscribe (unwatch) users from all repos, but running into some issues. It looks like these API routes are broken in a couple of ways.

  • First, I created a token with read + write access to all repos (non-admin user)
    image

Then, using that token on a repo I own:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: ---'

returns a 500 error

Next, when I try "PUT" or "DELETE", I get a 401 error. "token is required". I should have access to this repo and I've provided all of the token routes.

Gitea Version

1.22-dev

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

try.gitea.io

Database

None

Originally created by @kdumontnu on GitHub (Jan 11, 2024). ### Description We're trying to write a script to unsubscribe (unwatch) users from all repos, but running into some issues. It looks like these API routes are broken in a couple of ways. - First, I created a token with read + write access to all repos (non-admin user) <img width="667" alt="image" src="https://github.com/go-gitea/gitea/assets/12700993/5ab7ca73-3806-4c58-863f-15e446fbe113"> Then, using that token on a repo I own: ``` curl -X 'GET' \ 'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \ -H 'accept: application/json' \ -H 'Authorization: ---' ``` returns a 500 error ---- Next, when I try "PUT" or "DELETE", I get a 401 error. `"token is required"`. I should have access to this repo and I've provided all of the token routes. ### Gitea Version 1.22-dev ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? try.gitea.io ### Database None
GiteaMirror added the type/bug label 2025-11-02 10:05:31 -06:00
GiteaMirror commented 2025-11-02 10:05:32 -06:00
Author
Owner
Copy Link

@jackHay22 commented on GitHub (Jan 11, 2024):

It looks like the GET endpoint doesn't currently require a token. I don't think that explains the 500 but I'll look into it. @kdumontnu For the PUT and DELETE endpoints the issue may be the formatting of your API token. The token value must be prepended by token in the header:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token ---'

Edit: requiring a token for the GET endpoint fixes the issue (by populating ctx.Doer).

@jackHay22 commented on GitHub (Jan 11, 2024): It looks like the `GET` endpoint doesn't currently require a token. I don't think that explains the 500 but I'll look into it. @kdumontnu For the `PUT` and `DELETE` endpoints the issue may be the formatting of your API token. The token value must be prepended by `token` in the header: ```bash curl -X 'GET' \ 'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \ -H 'accept: application/json' \ -H 'Authorization: token ---' ``` Edit: requiring a token for the `GET` endpoint fixes the issue (by populating `ctx.Doer`).
GiteaMirror commented 2025-11-02 10:05:32 -06:00
Author
Owner
Copy Link

@kdumontnu commented on GitHub (Jan 11, 2024):

It looks like the GET endpoint doesn't currently require a token. I don't think that explains the 500 but I'll look into it. @kdumontnu For the PUT and DELETE endpoints the issue may be the formatting of your API token. The token value must be prepended by token in the header:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token ---'

Edit: requiring a token for the GET endpoint fixes the issue (by populating ctx.Doer).

I just used the swagger UI for the API. If that doesn't work then maybe there's another bug.

@kdumontnu commented on GitHub (Jan 11, 2024): > It looks like the `GET` endpoint doesn't currently require a token. I don't think that explains the 500 but I'll look into it. @kdumontnu For the `PUT` and `DELETE` endpoints the issue may be the formatting of your API token. The token value must be prepended by `token` in the header: > > ```shell > curl -X 'GET' \ > 'https://try.gitea.io/api/v1/repos/kdumontnu/template/subscription' \ > -H 'accept: application/json' \ > -H 'Authorization: token ---' > ``` > > Edit: requiring a token for the `GET` endpoint fixes the issue (by populating `ctx.Doer`). I just used the swagger UI for the API. If that doesn't work then maybe there's another bug.
GiteaMirror commented 2025-11-02 10:05:32 -06:00
Author
Owner
Copy Link

@jackHay22 commented on GitHub (Jan 11, 2024):

I just used the swagger UI for the API. If that doesn't work then maybe there's another bug.

Unfortunately, it's a manual step in Swagger:

Screen Shot 2024-01-11 at 2 34 40 PM
@jackHay22 commented on GitHub (Jan 11, 2024): > > > > I just used the swagger UI for the API. If that doesn't work then maybe there's another bug. Unfortunately, it's a manual step in Swagger: <img width="425" alt="Screen Shot 2024-01-11 at 2 34 40 PM" src="https://github.com/go-gitea/gitea/assets/23248839/1fda70c6-f642-4224-8c26-58de4d8c4168">
GiteaMirror commented 2025-11-02 10:05:32 -06:00
Author
Owner
Copy Link

@kdumontnu commented on GitHub (Jan 11, 2024):

I just used the swagger UI for the API. If that doesn't work then maybe there's another bug.

Unfortunately, it's a manual step in Swagger:

Screen Shot 2024-01-11 at 2 34 40 PM

Gross - good catch.

@kdumontnu commented on GitHub (Jan 11, 2024): > > > > > > > > > I just used the swagger UI for the API. If that doesn't work then maybe there's another bug. > > Unfortunately, it's a manual step in Swagger: > > <img alt="Screen Shot 2024-01-11 at 2 34 40 PM" width="425" src="https://private-user-images.githubusercontent.com/23248839/296030730-1fda70c6-f642-4224-8c26-58de4d8c4168.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDUwMDIwMDksIm5iZiI6MTcwNTAwMTcwOSwicGF0aCI6Ii8yMzI0ODgzOS8yOTYwMzA3MzAtMWZkYTcwYzYtZjY0Mi00MjI0LThjMjYtNThkZTRkOGM0MTY4LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAxMTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMTExVDE5MzUwOVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTU0NmUyZjJjMTY0YzRkNzA0ZjE0ZjBmZmI1MmJlYmRiNDg3ZTMzMmVkMjNlMmEyODRlNmUxNGUyNGY3ZTZkZjEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.NyYE-6UIiBmVk0iwNFRx_AcPzqxkBY_yjneUk4IokS0"> Gross - good catch.
GiteaMirror commented 2025-11-02 10:05:32 -06:00
Author
Owner
Copy Link

@kdumontnu commented on GitHub (Jan 11, 2024):

So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that I have access to, but I don't own, I get a 404.

The problem, as I see it, is that this route is a repo route when it should be a user route.

  • For instance, can a repo owner "unwatch" people from their repos?
@kdumontnu commented on GitHub (Jan 11, 2024): So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that **I have access to, but I don't own**, I get a 404. The problem, as I see it, is that this route is a repo route when it should be a user route. - For instance, can a repo owner "unwatch" people from their repos?
GiteaMirror commented 2025-11-02 10:05:33 -06:00
Author
Owner
Copy Link

@jackHay22 commented on GitHub (Jan 12, 2024):

So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that I have access to, but I don't own, I get a 404.

@kdumontnu I haven't been able to recreate this 404 with a public or private repo; watch/unwatch works for a user other than the owner (the user that the token belongs to).

The problem, as I see it, is that this route is a repo route when it should be a user route.

Is the idea to create a route by which a user other than ctx.Doer (the token owner) can be watched/unwatched? (i.e. the repo owner could unwatch a different user)

@jackHay22 commented on GitHub (Jan 12, 2024): > So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that **I have access to, but I don't own**, I get a 404. @kdumontnu I haven't been able to recreate this 404 with a public or private repo; watch/unwatch works for a user other than the owner (the user that the token belongs to). > The problem, as I see it, is that this route is a repo route when it should be a user route. Is the idea to create a route by which a user _other than_ `ctx.Doer` (the token owner) can be watched/unwatched? (i.e. the repo owner could unwatch a different user)
GiteaMirror commented 2025-11-02 10:05:33 -06:00
Author
Owner
Copy Link

@kdumontnu commented on GitHub (Jan 12, 2024):

So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that I have access to, but I don't own, I get a 404.

@kdumontnu I haven't been able to recreate this 404 with a public or private repo; watch/unwatch works for a user other than the owner (the user that the token belongs to).

The problem, as I see it, is that this route is a repo route when it should be a user route.

Is the idea to create a route by which a user other than ctx.Doer (the token owner) can be watched/unwatched? (i.e. the repo owner could unwatch a different user)

You're able to subscribe + unsubscribe from public repos?

If I run

curl -X 'PUT' \
  'https://try.gitea.io/api/v1/repos/sdweiyu/%20test/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token <full read/write token>'

I get a 404 response (this is just a random public repository I found). That implied to me that the API isn't using the right permissions.

@kdumontnu commented on GitHub (Jan 12, 2024): > > So, once I fix the token header (thanks!), and I try to watch/unwatch a repo that **I have access to, but I don't own**, I get a 404. > > @kdumontnu I haven't been able to recreate this 404 with a public or private repo; watch/unwatch works for a user other than the owner (the user that the token belongs to). > > > The problem, as I see it, is that this route is a repo route when it should be a user route. > > Is the idea to create a route by which a user _other than_ `ctx.Doer` (the token owner) can be watched/unwatched? (i.e. the repo owner could unwatch a different user) You're able to subscribe + unsubscribe from public repos? If I run ``` curl -X 'PUT' \ 'https://try.gitea.io/api/v1/repos/sdweiyu/%20test/subscription' \ -H 'accept: application/json' \ -H 'Authorization: token <full read/write token>' ``` I get a 404 response (this is just a random public repository I found). That implied to me that the API isn't using the right permissions.
GiteaMirror commented 2025-11-02 10:05:33 -06:00
Author
Owner
Copy Link

@jackHay22 commented on GitHub (Jan 16, 2024):

@kdumontnu Perhaps the space (encoded as %20) is causing the 404. I was able to successfully watch (and unwatch) the repo:

Request:

curl -X 'PUT' \
  'https://try.gitea.io/api/v1/repos/sdweiyu/test/subscription' \
  -H 'accept: application/json' \
  -H 'Authorization: token <token>'

Response (200):

{
  "subscribed": true,
  "ignored": false,
  "reason": null,
  "created_at": "2022-01-20T07:30:35Z",
  "url": "https://try.gitea.io/api/v1/repos/sdweiyu/test/subscription",
  "repository_url": "https://try.gitea.io/api/v1/repos/sdweiyu/test"
}
@jackHay22 commented on GitHub (Jan 16, 2024): @kdumontnu Perhaps the space (encoded as `%20`) is causing the 404. I was able to successfully watch (and unwatch) the repo: Request: ``` curl -X 'PUT' \ 'https://try.gitea.io/api/v1/repos/sdweiyu/test/subscription' \ -H 'accept: application/json' \ -H 'Authorization: token <token>' ``` Response (200): ```json { "subscribed": true, "ignored": false, "reason": null, "created_at": "2022-01-20T07:30:35Z", "url": "https://try.gitea.io/api/v1/repos/sdweiyu/test/subscription", "repository_url": "https://try.gitea.io/api/v1/repos/sdweiyu/test" } ```
GiteaMirror commented 2025-11-02 10:05:34 -06:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Mar 1, 2024):

Automatically locked because of our CONTRIBUTING guidelines

@github-actions[bot] commented on GitHub (Mar 1, 2024): Automatically locked because of our [CONTRIBUTING guidelines](https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#issue-locking)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#12321
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?