Unauthorised response to anonymous requests in maven registry group API

Moaz Khalifarequested to merge
544802-maven-package-registry-is-behaving-inconsistently-when-using-group-url-with-basic-http into master

What does this MR do and why?

This MR fixes inconsistent behaviour in the Maven Repository when downloading a package from a group-level endpoint with Basic HTTP Authentication.

Problem: When a group contains projects with mixed package registry visibility (some public, some private), anonymous requests to the Maven group API were incorrectly returning 404 Not Found instead of 401 Unauthorized when a package doesn't exist in public registries. This breaks Maven's Basic HTTP Authentication flow, which relies on receiving a 401 response with WWW-Authenticate header to trigger credential-based retry requests.

Solution: The MR ensures anonymous requests to the download package group-level endpoint returns 401 Unauthorized instead of 404 Not Found when:

  • No package is found in public registries
  • The request is anonymous (no current user)
  • The feature flag maven_packages_unauthorized_with_public_registries is enabled

References

Screenshots or screen recordings

N/A

How to set up and validate locally

  1. Enable the feature flag:

    Feature.enable(:maven_packages_unauthorized_with_public_registries)

  2. Set up test groups and projects:

    # Create a private group with two private projects
group = FactoryBot.create(:group, :private)
project1 = FactoryBot.create(:project, :private, group:)
project2 = FactoryBot.create(:project, :private, group:)

# Enable public package registry on the project2
project2.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)

# stub file upload
def fixture_file_upload(*args, **kwargs)
  Rack::Test::UploadedFile.new(*args, **kwargs)
end

# Create a package in project2
package = FactoryBot.create(:maven_package, project: project1)

  3. Test anonymous requests return 401 (not 404):

    # This should return 401 Unauthorized (not 404) with WWW-Authenticate: Basic realm="GitLab Packages Registry
curl -I "http://gdk.test:3000/api/v4/groups/<group.id>/-/packages/maven/<package.maven_metadatum.path>/maven-metadata.xml"

  4. Test with feature flag disabled:

    Feature.disable(:maven_packages_unauthorized_with_public_registries)

    The same request should return 404 Not Found (old behavior).

  5. Verify authenticated requests still work:

    # Should return 200 for existing packages
curl --header "Private-Token: <personal_access_token>" "http://gdk.test:3000/api/v4/groups/<group.id>/-/packages/maven/<package.maven_metadatum.path>/maven-metadata.xml"

# 404 for non-existent ones
curl --header "Private-Token: <personal_access_token>" "http://gdk.test:3000/api/v4/groups/<group.id>/-/packages/maven/<package.maven_metadatum.path>/maven-metadata1.xml"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #544802 (closed)

Edited by Moaz Khalifa

Merge request reports