Download of gitlab.com project release image using access token blocked by 'Checking your Browser' redirect

Summary

Using curl with a personal access token to download a release from a private project on gitlab.com ends up fetching the 'Checking your Browser' HTML page, rather than the expected binary file.

Steps to reproduce

  1. create personal access token with read_api scope
  2. find URL of a release to download from private repo on gitlab.com (looks like https://gitlab.com/.../-/releases/.../downloads/...)
  3. use cURL command line to set token header and fetch file (following !120001 (merged))
curl -H 'PRIVATE-TOKEN: <read_api_personal_access_token>' -o <download.file> -L https://gitlab.com/my-group/my-project/-/releases/<release>/downloads/<file>
  1. check if file is as expected

What is the current bug behavior?

The curl request is redirected to the 'Checking your Browser' (captcha?) page which is downloaded, instead of the binary release image file expected. I don't know if this happens for everyone, but it is consistent for me.

What is the expected correct behavior?

The linked binary release image file is expected to be downloaded.

See #375489 (closed)

Relevant logs and/or screenshots

$ curl -H 'PRIVATE-TOKEN: <read_api_personal_access_token>' -o ~/download.hex -L https://gitlab.com/my-group/my-project/-/releases/<release>/downloads/<file>.hex
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   201  100   201    0     0    360      0 --:--:-- --:--:-- --:--:--   360
100    98  100    98    0     0     93      0  0:00:01  0:00:01 --:--:-- 98000
100  8636    0  8636    0     0   7891      0 --:--:--  0:00:01 --:--:--  7891
$ head ~/download.hex
<!DOCTYPE html>
<html>
<head>
  <meta content="width=device-width, initial-scale=1, maximum-scale=1" name="viewport">
  <title>Checking your Browser - GitLab</title>
  <style>bo...

If the URL is changed to a non-existing release file, the command returns a 'Not found' page, as expected.

The Personal Access Token appears to be correct as its last used timestamp on the relevant preference page is updated after using this command.

Output of checks

This bug happens on GitLab.com

Possible fixes

It appears that an extra layer of security (captcha?) on the main gitlab.com site is intercepting the valid request.

cc @vshushlin