From 87e12133f0303c3657dd7b7bd9e663f8ac65fd79 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 27 Apr 2023 20:53:08 +0800
Subject: [PATCH 1/4] Fix auth check bug

---
 services/lfs/server.go | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/services/lfs/server.go b/services/lfs/server.go
index 4c69e47512b6c..64e1203394547 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) {
 		return
 	}
 
-	repository := getAuthenticatedRepository(ctx, rc, true)
-	if repository == nil {
-		return
-	}
-
 	// Support resume download using Range header
 	var fromByte, toByte int64
 	toByte = meta.Size - 1
@@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) {
 		return
 	}
 
-	repository := getAuthenticatedRepository(ctx, rc, true)
-	if repository == nil {
-		return
-	}
-
 	contentStore := lfs_module.NewContentStore()
 	ok, err := contentStore.Verify(meta.Pointer)
 

From 94387b969c8a7c1b2152791b5d6ba10edd8ac88a Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 27 Apr 2023 21:18:56 +0800
Subject: [PATCH 2/4] Add test for download lfs with token

---
 tests/integration/lfs_getobject_test.go | 33 +++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/tests/integration/lfs_getobject_test.go b/tests/integration/lfs_getobject_test.go
index 7b1b3e109c5f7..7fa5ccc936dc6 100644
--- a/tests/integration/lfs_getobject_test.go
+++ b/tests/integration/lfs_getobject_test.go
@@ -11,6 +11,7 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -40,6 +41,30 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string
 	return pointer.Oid
 }
 
+func storeAndGetLfsToken(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
+	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
+	assert.NoError(t, err)
+	oid := storeObjectInRepo(t, repo.ID, content)
+	defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
+
+	token := getUserToken(t, "user2", auth.AccessTokenScope(auth.AccessTokenScopePublicRepo))
+
+	// Request OID
+	req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test?token="+token)
+	req.Header.Set("Accept-Encoding", "gzip")
+	if extraHeader != nil {
+		for key, values := range *extraHeader {
+			for _, value := range values {
+				req.Header.Add(key, value)
+			}
+		}
+	}
+
+	resp := MakeRequest(t, req, expectedStatus)
+
+	return resp
+}
+
 func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
 	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
 	assert.NoError(t, err)
@@ -89,6 +114,14 @@ func TestGetLFSSmall(t *testing.T) {
 	checkResponseTestContentEncoding(t, &content, resp, false)
 }
 
+func TestGetLFSSmallToken(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	content := []byte("A very small file\n")
+
+	resp := storeAndGetLfsToken(t, &content, nil, http.StatusOK)
+	checkResponseTestContentEncoding(t, &content, resp, false)
+}
+
 func TestGetLFSLarge(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	content := make([]byte, web.GzipMinSize*10)

From 7ea0bfd098ae3cba2ee5fd101504b6de2b5f67cc Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 27 Apr 2023 22:27:06 +0800
Subject: [PATCH 3/4] Fix test

---
 tests/integration/lfs_getobject_test.go | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/tests/integration/lfs_getobject_test.go b/tests/integration/lfs_getobject_test.go
index 7fa5ccc936dc6..eb2ee7786a061 100644
--- a/tests/integration/lfs_getobject_test.go
+++ b/tests/integration/lfs_getobject_test.go
@@ -41,17 +41,18 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string
 	return pointer.Oid
 }
 
-func storeAndGetLfsToken(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
+func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
 	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
 	assert.NoError(t, err)
 	oid := storeObjectInRepo(t, repo.ID, content)
 	defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
 
-	token := getUserToken(t, "user2", auth.AccessTokenScope(auth.AccessTokenScopePublicRepo))
+	token := getUserToken(t, "user2", ts)
 
 	// Request OID
-	req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test?token="+token)
+	req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
 	req.Header.Set("Accept-Encoding", "gzip")
+	req.SetBasicAuth("user2", token)
 	if extraHeader != nil {
 		for key, values := range *extraHeader {
 			for _, value := range values {
@@ -118,10 +119,17 @@ func TestGetLFSSmallToken(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	content := []byte("A very small file\n")
 
-	resp := storeAndGetLfsToken(t, &content, nil, http.StatusOK)
+	resp := storeAndGetLfsToken(t, auth.AccessTokenScope(auth.AccessTokenScopePublicRepo), &content, nil, http.StatusOK)
 	checkResponseTestContentEncoding(t, &content, resp, false)
 }
 
+func TestGetLFSSmallTokenFail(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	content := []byte("A very small file\n")
+
+	storeAndGetLfsToken(t, auth.AccessTokenScope(auth.AccessTokenScopeNotification), &content, nil, http.StatusForbidden)
+}
+
 func TestGetLFSLarge(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	content := make([]byte, web.GzipMinSize*10)

From d4981fc920076103e562f95a283b5ab4a58593ba Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 27 Apr 2023 22:53:04 +0800
Subject: [PATCH 4/4] Fix lint

---
 tests/integration/lfs_getobject_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/integration/lfs_getobject_test.go b/tests/integration/lfs_getobject_test.go
index eb2ee7786a061..ba236d355f12d 100644
--- a/tests/integration/lfs_getobject_test.go
+++ b/tests/integration/lfs_getobject_test.go
@@ -119,7 +119,7 @@ func TestGetLFSSmallToken(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	content := []byte("A very small file\n")
 
-	resp := storeAndGetLfsToken(t, auth.AccessTokenScope(auth.AccessTokenScopePublicRepo), &content, nil, http.StatusOK)
+	resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK)
 	checkResponseTestContentEncoding(t, &content, resp, false)
 }
 
@@ -127,7 +127,7 @@ func TestGetLFSSmallTokenFail(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	content := []byte("A very small file\n")
 
-	storeAndGetLfsToken(t, auth.AccessTokenScope(auth.AccessTokenScopeNotification), &content, nil, http.StatusForbidden)
+	storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden)
 }
 
 func TestGetLFSLarge(t *testing.T) {