<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=448786) </details> <!--IssueSummary end--> ### Summary Not sure if this is just on a self-hosted Gitlab instance, or the same can happen on a private/internal repository hosted in gitlab.com. But if you create a release and upload some files and attach them to a release, you'll not be able to download those files without the user authenticating with the browser/i.e. cookies. When reading the Release API there is a section about downloading a [release asset](https://docs.gitlab.com/ee/api/releases/#download-a-release-asset), but this shows a HTML page requesting the user to log in. ### Steps to reproduce 1. Upload a file with the [Projects > Upload a file API](https://docs.gitlab.com/ee/api/projects.html#upload-a-file) 2. Keep a reference to the following property we get in return: `alt`, `link`, and `full_path`. 3. Create a new release with the [Releases API > Create a release](https://docs.gitlab.com/ee/api/releases/#create-a-release). 4. Add an entry at the `assets.links` section and append with the following structure: ```json { "name": "<Step 2: alt>", "url": "<BASE_URL><Step 2: full_path>", "direct_asset_path": "<Step 2: url>", "link_type": "other" } ``` 5. This call should've been successful and show up when using the api [Release API > List Releases](https://docs.gitlab.com/ee/api/releases/#list-releases) 6. On the first release entry of this list, there is a `assets.links` attribute that will contain the asset uploaded with step 3 and 4. This attribute is in the following format: ```json [ { "id": 1, "name": "<Step 2: alt>", "url": "URL to the asset (this is not an API url)", "direct_asset_url": "URL to the asset (this is not an API url)", "link_type": "other" } ... ] ``` 7. Transform one of the URLs to be in the [Download a release asset API](https://docs.gitlab.com/ee/api/releases/#download-a-release-asset) e.g. `https://gitlab.example.com/api/v4/projects/24/releases/v0.1/downloads/uploads/8b684daf5dd85545caaa9171de433acc/test_file`. 8. When using the curl specified in that API, it will result in a HTML page that asks you to sign in, instead of the actual uploaded file. Note, this is with a `PRIVATE-TOKEN: <TOKEN>` header specified, because the project is not accessible by the public. ### Example Project I've not created an example project, because this is on a self-hosted one. But there are multiple reports asking for this functionality and it not actually working: https://gitlab.com/gitlab-org/gitlab/-/issues/410460#note_1390140319 https://gitlab.com/gitlab-org/gitlab/-/issues/375489#note_1382515152 https://gitlab.com/gitlab-org/gitlab/-/issues/232704 ### What is the current *bug* behavior? When following the steps, a HTML page will be shown asking you to sign in. ### What is the expected *correct* behavior? When following the steps, I should be able to download the asset link. ### Relevant logs and/or screenshots The HTML you receive once using this API: ```html <!DOCTYPE html> <html class="html-devise-layout ui-light-gray" lang="en"> ... <div class="gl-alert-content" role="alert"> <div class="gl-alert-body"> You need to sign in or sign up before continuing. </div> </div> ... </html> ``` ### Output of checks <!-- If you are reporting a bug on GitLab.com, uncomment below --> This bug happens on GitLab.com ### Possible fixes Allow the authentication of PRIVATE-TOKEN or JOB-TOKEN on this endpoint.