Auth flow broken for private rpm registrys

[Will-Shanks]

Description

I am running a private gitea instance and attempting to use it as an rpm registry, but after adding a gitea user registry to zypper it complains of it not being valid, upon further inspect it appears to be a bug in the gitea auth flow for private rpm registries

repro steps:

When refreshing repos zypper first does a HEAD request equivalent to the following curl, which responds with a 401 as expected

mynode:~ # curl -I https://{user}@{mygitea}.com/api/packages/{user}/rpm/repodata/repomd.xml
HTTP/2 401
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
content-length: 17
date: Thu, 01 Feb 2024 00:35:16 GMT

Corresponding server logs:

2024/01/31 17:55:18 .../api/packages/api.go:88:func1() [E] Failed to verify user: user does not exist [uid: 0, name: {user}, keyid: 0]
2024/01/31 17:55:18 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /api/packages/{user}/rpm/repodata/repomd.xml for {ip}:53626, 401 Unauthorized in 408.0ms @ packages/api.go:84(packages.verifyAuth)

---

Then it does the same request, but authenticated, which returns a 405 instead of working <-- this is the broken bit

mynode:~ # curl --head https://{user}:{token}@{mygitea}.com/api/packages/{user}/rpm/repodata/repomd.xml
HTTP/2 405
allow: GET
date: Thu, 01 Feb 2024 00:40:52 GMT

Corresponding server logs:

2024/01/31 17:55:21 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /api/packages/{user}/rpm/repodata/repomd.xml for {ip}:53628, 405 Method Not Allowed in 32.5ms @ packages/api.go:84(packages.verifyAuth)

---

I know the user/token is not the issue as the following request works

mynode :~ # curl https://{user}:{token}@{mygitea}.com/api/packages/{user}/rpm.repo
[gitea-{user}]
name={user} - {my gitea name}
baseurl=https://{mygitea}.com/api/packages/{user}/rpm
enabled=1
gpgcheck=1
gpgkey=https://{mygitea}.com/api/packages/{user}/rpm/repository.key

Corresponding server logs:

2024/01/31 17:57:38 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/packages/{user}/rpm.repo for {ip}:53672, 200 OK in 37.5ms @ rpm/rpm.go:35(rpm.GetRepositoryConfig)

---

In case it is useful, the above curl without the token

mynode :~ # curl https://{user}@{mygitea}.com/api/packages/{user}/rpm.repo
authGroup.Verify

Corresponding server logs:

2024/01/31 17:58:46 .../api/packages/api.go:88:func1() [E] Failed to verify user: user does not exist [uid: 0, name: {user}, keyid: 0]
2024/01/31 17:58:46 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/packages/{user}/rpm.repo for {ip}:53694, 401 Unauthorized in 351.0ms @ packages/api.go:84(packages.verifyAuth)

Gitea Version

v1.21.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

Provided in description

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

gitea docker container, with a few trivial tweaks.

Database

SQLite

[lunny]

So it doesn't support HEAD request but only GET?

[Will-Shanks]

Correct, GET requests returns successfully, while HEAD requests returns a 405.

[ExplodingDragon]

This issue was resolved after 1.21.2

#28360

[ExplodingDragon]

This issue was resolved after 1.21.2

Ref: #28360, #28309 .

But I'm not sure if requests with authentication are supported.

[KN4CK3R]

Sure, HEAD supports auth.

[github-actions]

Automatically locked because of our CONTRIBUTING guidelines