Require repo scope for PATs for private repos and basic authentication (#24362)

> The scoped token PR just checked all API routes but in fact, some web routes like `LFS`, git `HTTP`, container, and attachments supports basic auth. This PR added scoped token check for them. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2025-07-22 18:28:37 +00:00 · 2023-04-26 19:24:03 -05:00
parent 8f57aa014b
commit 5e36024105
11 changed files with 117 additions and 7 deletions
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -86,6 +86,11 @@ func DownloadHandler(ctx *context.Context) {
 		return
 	}

+	repository := getAuthenticatedRepository(ctx, rc, true)
+	if repository == nil {
+		return
+	}
+
 	// Support resume download using Range header
 	var fromByte, toByte int64
 	toByte = meta.Size - 1
@@ -360,6 +365,11 @@ func VerifyHandler(ctx *context.Context) {
 		return
 	}

+	repository := getAuthenticatedRepository(ctx, rc, true)
+	if repository == nil {
+		return
+	}
+
 	contentStore := lfs_module.NewContentStore()
 	ok, err := contentStore.Verify(meta.Pointer)

@@ -423,6 +433,11 @@ func getAuthenticatedRepository(ctx *context.Context, rc *requestContext, requir
 		return nil
 	}

+	context.CheckRepoScopedToken(ctx, repository)
+	if ctx.Written() {
+		return nil
+	}
+
 	return repository
 }