Allow job token basic auth for generic package upload

Tim Rizzirequested to merge
fix/generic-package-upload-job-token-basic-auth into master

What does this MR do and why?

Allows uploading a generic package with a CI job token passed via Basic auth (gitlab-ci-token:$CI_JOB_TOKEN), which previously returned 401 Unauthorized.

The download endpoint has accepted a job token over Basic auth since !138770 (merged), but the upload and Workhorse authorize endpoints still only accepted the job token through the JOB-TOKEN header. This made the documented .netrc/Basic-auth upload flow fail, and contradicted the generic packages documentation.

This MR mirrors the download endpoint by setting job_token_allowed: %i[request basic_auth] on both the authorize preflight and the upload route. Both are required because Workhorse forwards the client's credentials to the authorize preflight.

Related

  • Prior art: !138770 (merged) (added Basic-auth job-token support to the download endpoint)

How to set up and validate locally

In a CI job:

test:
  script:
    - echo foo > bar
    - |
      curl --silent --location \
        --user "gitlab-ci-token:$CI_JOB_TOKEN" \
        --upload-file bar \
        "$CI_API_V4_URL/projects/$CI_PROJECT_ID/packages/generic/my_package/1.0.0/file.txt"

This now returns 201 Created instead of 401 Unauthorized.

Merge request reports