Restrict access to composer package dist file of private projects
When publishing a package on a private project using composer API only the providers
json files requires authentication, while the dist-files (zip) are available unrestricted for download without authentication, only requiring the commit hash as query parameter.
For example, when I publish a package from a branch of a private project I can access to the published package zip file at
https://gitlab.com/api/v4/projects/$PROJECT_ID/packages/composer/archives/$GROUP_NAME/$PROJECT_NAME.zip?sha=$LAST_COMMIT_SHA
No authentication (token or user/pass) is required. All the required parameters are not really sensitive as it is common to find it published/exposed on the public internet to help debugging and/or error tracking tools.
Proposal
Add authorization checks requiring the read-api
scope and the allowance to read the specified project packages before serving the dist-file containing the private package source code.