Getting raw files for private repos via token #6417

New Issue

GiteaMirror · 2025-11-02T06:55:11-06:00

GiteaMirror commented

2025-11-02 06:55:11 -06:00

Originally created by @pat-s on GitHub (Dec 1, 2020).

Gitea version (or commit ref): 1.14.0+dev-290-gb1cf7f4df
Git version:
Operating system: -
Database (use [x]):
- PostgreSQL
- MySQL
- MSSQL
- SQLite
Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
Log gist:

Description

When fetchting raw files of private repos, one needs to pass some form of authentication.
Usually ?token=<token> is appended or the token is passed via -u <username>:<token> in the request, e.g. in curl <URL>.

Works in GitHub when providing a token, returns a 404 without a token.

In Gitea however I see the following:

Without a token

curl https://try.gitea.io/pat-s/test/raw/branch/master/README.md

-> HTML response (expecting a 404)

With token

curl -u <username>:<token> https://try.gitea.io/pat-s/test/raw/branch/master/README.md

-> HTML response (expecting raw response)

With password

curl -u <username>:<password> https://try.gitea.io/pat-s/test/raw/branch/master/README.md

-> raw response

Originally created by @pat-s on GitHub (Dec 1, 2020). - Gitea version (or commit ref): 1.14.0+dev-290-gb1cf7f4df - Git version: - Operating system: - - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) - [ ] No - Log gist: ## Description When fetchting raw files of private repos, one needs to pass some form of authentication. Usually `?token=<token>` is appended or the token is passed via `-u <username>:<token>` in the request, e.g. in `curl <URL>`. Works in GitHub when providing a token, returns a 404 without a token. In Gitea however I see the following: **Without a token** `curl https://try.gitea.io/pat-s/test/raw/branch/master/README.md` -> HTML response (expecting a 404) **With token** `curl -u <username>:<token> https://try.gitea.io/pat-s/test/raw/branch/master/README.md` -> HTML response (expecting raw response) **With password** `curl -u <username>:<password> https://try.gitea.io/pat-s/test/raw/branch/master/README.md` -> raw response

GiteaMirror closed this issue

2025-11-02 06:55:11 -06:00

GiteaMirror commented

2025-11-02 06:55:12 -06:00

@meliurwen commented on GitHub (May 26, 2021):

@pat-s I've successfully used the token method you described until the beginning of april on dev branch releases.

Now at 1.15.0+dev-347-gc1a80b7d6 with a command like:

curl -u ${username}:${token} https://git.domain.tld/${username}/${repo}/raw/branch/${branch}/${file}

I get a 302 status (which leads to the login page) with this body:

<a href="/user/login">Found</a>.

@meliurwen commented on GitHub (May 26, 2021): @pat-s I've successfully used the token method you described until the beginning of april on dev branch releases. Now at `1.15.0+dev-347-gc1a80b7d6` with a command like: ```bash curl -u ${username}:${token} https://git.domain.tld/${username}/${repo}/raw/branch/${branch}/${file} ``` I get a `302` status (which leads to the login page) with this body: ```html <a href="/user/login">Found</a>. ```

GiteaMirror commented

2025-11-02 06:55:12 -06:00

@zeripath commented on GitHub (May 26, 2021):

Ugh...

So it wasn't really expected that people would be using tokens with non-api or non-git routes.

That's why you're finding that there has been a change.

@zeripath commented on GitHub (May 26, 2021): Ugh... So it wasn't really expected that people would be using tokens with non-api or non-git routes. That's why you're finding that there has been a change.

GiteaMirror commented

2025-11-02 06:55:13 -06:00

@meliurwen commented on GitHub (May 27, 2021):

Github allows to use tokens in the same way Gitea did until some commits ago; Gitlab on the other hand had this functionality until a couple of years ago, but like (probably) Gitea, it wasn't intentional and has been restricted to only API and git routes due to security concerns.

I personally fail to see the security concerns the Gitlab maintainers are referring to since basically the same things can be achieved on the API side... using the API generally should be the way to go, but there are some specific use cases for specific routes (like retrieving raw files via a simple shell script) where can be less ideal.

On this use case, the Github way helps on the dev/user side to keep the same simple and intuitive (and rather platform-agnostic) retrieval flow of files for both public and private repos.

@zeripath wow! Ty for the prompt response and merge request, I didn't expect that! 😄❤️

@meliurwen commented on GitHub (May 27, 2021): Github allows to use tokens in the same way Gitea did until some commits ago; Gitlab on the other hand had this functionality until a couple of years ago, but like (probably) Gitea, it [wasn't intentional and has been restricted to only API and git routes due to security concerns](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/55081#note_124015270). I personally fail to see the security concerns the Gitlab maintainers are referring to since basically the same things can be achieved on the API side... using the API generally should be the way to go, but there are some specific use cases for specific routes (like retrieving raw files via a simple shell script) where can be less ideal. On this use case, the Github way helps on the dev/user side to keep the same simple and intuitive (and rather platform-agnostic) retrieval flow of files for both public and private repos. @zeripath wow! Ty for the prompt response and merge request, I didn't expect that! 😄❤️

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#6417