Allow get release download files and lfs files with oauth2 token format (#26430) (#27379)

Backport #26430 by @lunny Fix #26165 Fix #25257 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
author: Giteabot <teabot@gitea.io> 2023-10-01 19:54:11 +0800
committer: GitHub <noreply@github.com> 2023-10-01 19:54:11 +0800
commit: 4e824a735ea9290f75f57d1211d1b7e8c4e9dda2 (patch)
tree: 43c48780d872984ab4771f5f78bb38b4554ce240 /services
parent: eea79ce586d5cc941f43bd2bcde1e41013e563b8 (diff)
download: gitea-4e824a735ea9290f75f57d1211d1b7e8c4e9dda2.tar.gz
gitea-4e824a735ea9290f75f57d1211d1b7e8c4e9dda2.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index 6572d661e8..38b705cc5b 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -125,7 +125,9 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat
 // If verification is successful returns an existing user object.
 // Returns nil if verification fails.
 func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
-	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) {
+	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
+		!gitRawReleasePathRe.MatchString(req.URL.Path) {
 		return nil, nil
 	}
author	Giteabot <teabot@gitea.io>	2023-10-01 19:54:11 +0800
committer	GitHub <noreply@github.com>	2023-10-01 19:54:11 +0800
commit	4e824a735ea9290f75f57d1211d1b7e8c4e9dda2 (patch)
tree	43c48780d872984ab4771f5f78bb38b4554ce240 /services
parent	eea79ce586d5cc941f43bd2bcde1e41013e563b8 (diff)
download	gitea-4e824a735ea9290f75f57d1211d1b7e8c4e9dda2.tar.gz gitea-4e824a735ea9290f75f57d1211d1b7e8c4e9dda2.zip