Basic authentication doesn't work for archive downloads #35083
Description
Description
I have a private repository, and I need to download its archives (URLs like https://my.gitea.site/owner/repo/archive/.tar.gz) non-interactively using Basic Authentication. (Specifically, I need to download with the builtins.fetchTarball function of Nix package manager.) It doesn't work out of the box:
> > curl --dump-header - -u :REDACTED -o /dev/null https://REDACTED/REDACTED/REDACTED/archive/REDACTED.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/2 303
server: nginx
date: Tue, 15 Jul 2025 15:13:01 GMT
content-type: text/html; charset=utf-8
content-length: 38
cache-control: max-age=0, private, must-revalidate, no-transform
location: /user/login
set-cookie: session=e685bd6a270841fa; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _csrf=YObR-Ve7B-AnJXJtfpjTtk5YrUA6MTc1MjU5MjM4MTk0ODAwNDg1Ng; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
set-cookie: redirect_to=%2FREDACTED.tar.gz; Path=/; HttpOnly; Secure; SameSite=Lax
x-frame-options: SAMEORIGIN
100 38 100 38 0 0 608 0 --:--:-- --:--:-- --:--:-- 612
(The password specified in curl's -u option is an Access Token with the read:repository permission of a user that is allowed to access the repository.)
I use a patched version of Gitea to make it work.
Gitea Version
1.24.2
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
2025/07/15 15:19:55 ...eb/routing/logger.go:102:func1() [I] router: completed GET /REDACTED/REDACTED/archive/REDACTED.tar.gz for 127.0.0.1:34664, 303 See Other in 0.5ms @ web/web.go:139(web.registerWebRoutes.verifyAuthWithOptions)
Screenshots
No response
Git Version
2.49.0
Operating System
NixOS
How are you running Gitea?
NixOS' gitea module with the standard Nixpkgs' gitea package, behind Nginx reverse proxy.
Database
PostgreSQL