Restrict access to composer package dist file of private projects

When publishing a package on a private project using composer API only the providers json files requires authentication, while the dist-files (zip) are available unrestricted for download without authentication, only requiring the commit hash as query parameter.

For example, when I publish a package from a branch of a private project I can access to the published package zip file at

https://gitlab.com/api/v4/projects/$PROJECT_ID/packages/composer/archives/$GROUP_NAME/$PROJECT_NAME.zip?sha=$LAST_COMMIT_SHA

No authentication (token or user/pass) is required. All the required parameters are not really sensitive as it is common to find it published/exposed on the public internet to help debugging and/or error tracking tools.

Proposal

Add authorization checks requiring the read-api scope and the allowance to read the specified project packages before serving the dist-file containing the private package source code.