Release API Download asking for user sign-in even when supplied with a valid token

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

Not sure if this is just on a self-hosted Gitlab instance, or the same can happen on a private/internal repository hosted in gitlab.com. But if you create a release and upload some files and attach them to a release, you'll not be able to download those files without the user authenticating with the browser/i.e. cookies.

When reading the Release API there is a section about downloading a release asset, but this shows a HTML page requesting the user to log in.

Steps to reproduce

  1. Upload a file with the Projects > Upload a file API
  2. Keep a reference to the following property we get in return: alt, link, and full_path.
  3. Create a new release with the Releases API > Create a release.
  4. Add an entry at the assets.links section and append with the following structure:
{
  "name": "<Step 2: alt>",
  "url": "<BASE_URL><Step 2: full_path>",
  "direct_asset_path": "<Step 2: url>",
  "link_type": "other"
}
  1. This call should've been successful and show up when using the api Release API > List Releases
  2. On the first release entry of this list, there is a assets.links attribute that will contain the asset uploaded with step 3 and 4. This attribute is in the following format:
[
{
  "id": 1,
  "name": "<Step 2: alt>",
  "url": "URL to the asset (this is not an API url)",
  "direct_asset_url": "URL to the asset (this is not an API url)",
  "link_type": "other"
}
...
]
  1. Transform one of the URLs to be in the Download a release asset API e.g. https://gitlab.example.com/api/v4/projects/24/releases/v0.1/downloads/uploads/8b684daf5dd85545caaa9171de433acc/test_file.
  2. When using the curl specified in that API, it will result in a HTML page that asks you to sign in, instead of the actual uploaded file. Note, this is with a PRIVATE-TOKEN: <TOKEN> header specified, because the project is not accessible by the public.

Example Project

I've not created an example project, because this is on a self-hosted one. But there are multiple reports asking for this functionality and it not actually working:

#410460 (comment 1390140319)

#375489 (comment 1382515152)

#232704 (closed)

What is the current bug behavior?

When following the steps, a HTML page will be shown asking you to sign in.

What is the expected correct behavior?

When following the steps, I should be able to download the asset link.

Relevant logs and/or screenshots

The HTML you receive once using this API:

<!DOCTYPE html>
<html class="html-devise-layout ui-light-gray" lang="en">
...
<div class="gl-alert-content" role="alert">
<div class="gl-alert-body">
You need to sign in or sign up before continuing.
</div>
</div>
...
</html>

Output of checks

This bug happens on GitLab.com

Possible fixes

Allow the authentication of PRIVATE-TOKEN or JOB-TOKEN on this endpoint.

Edited by 🤖 GitLab Bot 🤖