Restrict access to composer package dist file of private projects
When publishing a package on a private project using composer API only the
providers json files requires authentication, while the dist-files (zip) are available unrestricted for download without authentication, only requiring the commit hash as query parameter.
For example, when I publish a package from a branch of a private project I can access to the published package zip file at
No authentication (token or user/pass) is required. All the required parameters are not really sensitive as it is common to find it published/exposed on the public internet to help debugging and/or error tracking tools.
Add authorization checks requiring the
read-api scope and the allowance to read the specified project packages before serving the dist-file containing the private package source code.