Deploy tokens do not allow files to be downladed from generic packages
Summary
Deploy tokens do not allow files to be downloaded from generic packages
Steps to reproduce
- Create a deploy token with
read_package_registry
scope for a private project with a generic package - Use the API to retrieve a file from the package using the deploy token either in a
PRIVATE-TOKEN
header orAuthorization
header - The file will not be downloaded and a
403
or401
will be returned
Example
Using an example private project with ID: 123456
.
This project contains a generic package called example
with a version 2.0.0
and has a file in it called package.zip
What is the current bug behaviour?
Using an example deploy token with the read_package_registry
scope:
GET https://gitlab.com/api/v4/projects/123456/packages/generic/example/2.0.0/package.zip
PRIVATE-TOKEN: abcdefghjklmnopqrs
Returns 401 Unauthorized
GET https://gitlab.com/api/v4/projects/123456/packages/generic/example/2.0.0/package.zip
Authorization: Bearer abcdefghjklmnopqrs
Returns 403 Forbidden
However if a Personal Access Token is used with a scope of read_api
:
GET https://gitlab.com/api/v4/projects/123456/packages/generic/example/2.0.0/package.zip
Authorization: Bearer 123456789abcdedfgh
Returns 200 OK
and the file requested
What is the expected correct behaviour?
No matter if you use a deploy token with a read_package_registry
scope or a PAT with a read_api
scope the file should be returned with a response of 200 OK
.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com