Auth model for direct download of release assets is unclear

Summary

After creating a release, the release and links to the associated assets are available through the Releases API.

However, the linked assets are only available in an interactive browser session whereas attempts to download (sources or other) from a non-public project yields a 302 to the sign_in page, even if the PRIVATE-TOKEN header is given.

API access to download released assets is useful in the context of tooling such as https://github.com/marcosnils/bin, and I was working on adding a GitLab provider to it when I discovered the issue.

Steps to reproduce

1. Create a release.
2. Navigate to the release and copy the link to one of the assets (sources or other).
3. Try to download it using curl --header "PRIVATE-TOKEN: ${GITLAB_TOKEN?}" "${ASSET_URL?}".

Example Project

N/A as it would require a private/internal project and giving a user-wide personal access token.

What is the current bug behavior?

Released assets cannot be downloaded through the API.

What is the expected correct behavior?

Released assets can be downloaded through the API, preferably with the same authorization as is used for the rest of the API.

Relevant logs and/or screenshots

N/A.

Output of checks

This bug happens on GitLab.com.

Results of GitLab environment info

N/A.

Results of GitLab application Check

N/A.

Possible fixes

N/A.