Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)

Backport #26430 by @lunny Fix #26165 Fix #25257 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2025-08-09 11:08:19 +00:00 · 2023-10-01 19:54:15 +08:00
parent b6b71c78c4
commit 23139aa27b
8 changed files with 66 additions and 6 deletions
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -126,7 +126,9 @@ func (o *OAuth2) userIDFromToken(tokenSHA string, store DataStore) int64 {
 // If verification is successful returns an existing user object.
 // Returns nil if verification fails.
 func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
-	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) {
+	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
+		!gitRawReleasePathRe.MatchString(req.URL.Path) {
 		return nil, nil
 	}