<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label. For the Community Edition issue tracker: - https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=bug For the Enterprise Edition issue tracker: - https://gitlab.com/gitlab-org/gitlab-ee/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab-ee/issues?label_name%5B%5D=bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary job api: download job artifact only serves login page ### Steps to reproduce I have a gitlab job set up to run every day on gitlab.com (it is running without changes for months now). This job downloads the artifact of the previous job using the gitlab api: `https://gitlab.com/<namespace>/<project>/-/jobs/artifacts/<ref>/raw/<path_to_file>?job=<job_name>` Tonight this job started to fail. After investigating it turns out that gitlab does not serve the artifact via the api, but the plain html login page. We do submit an access token without expiry. ### What is the current *bug* behavior? After investigating it turns out that gitlab does not serve the artifact via the api, but the plain html login page. ### What is the expected *correct* behavior? gitlab api should serve artifact of previous jobs ### Relevant logs and/or screenshots ### Output of checks This bug happens on GitLab.com There does not seem to be any mention of breaking changes to the api in the docs Tried to issue a new access token with full access, however when submitting that with the request, the login page is still returned ### Solution The official blog post explaining the change https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ > Improper Enforcement of Token Scope >The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope. The issue is now mitigated in the latest release and is assigned CVE-2018-19569. >With this fix, the use of PATs is limited to the API, the RSS feed, and the registry, which could break any existing automation scripts that don't use the API. The impact is expected to be limited. >Thanks to Jan Alsenz of Oneconsult AG for responsibly reporting this vulnerability to us. >Updated: 2018-11-28: We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users. For instructions on how to do so through the API, please see our support issue. Thank you to the users participating in this issue. Your feedback is important to us. The personal access token has been scoped down only for API, RSS and registry usage the alternatives are as follows: - [Downloading repository fils](https://docs.gitlab.com/ee/api/repository_files.html) - [Get job artifacts](https://docs.gitlab.com/ee/api/jobs.html#get-job-artifacts) - [Download the artifacts archive](https://docs.gitlab.com/ee/api/jobs.html#download-the-artifacts-archive) - [Download a single artifact file](https://docs.gitlab.com/ee/api/jobs.html#download-a-single-artifact-file) - https://gitlab.com/gitlab-org/gitlab-ce/issues/54572#note_120859334 - https://gitlab.com/gitlab-org/gitlab-ce/issues/54572#note_120860243 - https://gitlab.com/gitlab-org/gitlab-ce/issues/54572#note_120999839