Skip to content

Go-get: returns 401 error for unauthenticated requests to private projects

Problem

Reported by @MagnusLindvall in !161162 (comment 2121346675)

Affects a self-managed instance after update to 17.4.0-ee, not reproducible on GitLab.com.

Possible root cause - Return a go-get document when the request is un... (!161162 - merged).

Details

URL points to a private project

curl -I "https://gitlab.company.net/shared/go-util?go-get=1" HTTP/2 401 # without auth - WRONG

curl -I "https://gitlab.company.net/shared/go-util?go-get=1" HTTP/2 200 # with auth

curl -I "https://gitlab.company.net/shared/go-util?go-get=1" HTTP/2 401 # with invalid auth - WRONG

URL points to a non-existant project

curl -I "https://gitlab.company.net/doesnotexist/anything?go-get=1" HTTP/2 200 # without auth

curl -I "https://gitlab.company.net/doesnotexist/anything?go-get=1" HTTP/2 200 # with auth

curl -I "https://gitlab.company.net/doesnotexist/anything?go-get=1" HTTP/2 200 # with invalid auth

Expected behavior

  • curl -I "https://gitlab.company.net/shared/go-util?go-get=1" HTTP/2 **200** # without auth

  • curl -I "https://gitlab.company.net/shared/go-util?go-get=1" HTTP/2 **404** # with invalid auth