Private+Anonymous Read repo: `/api/../archive/` fails with "The target couldn't be found."

[pbsds]

Description

The header of my repo displays these labels:

Repo settings:

Fetching an archive of a repo works:

$ curl -I https://{hostname}/{owner}/{repo}/archive/main.tar.gz
HTTP/2 200
server: nginx
date: Tue, 24 Jun 2025 23:07:11 GMT
content-type: application/octet-stream
content-length: 655169
accept-ranges: bytes
access-control-expose-headers: Content-Disposition
cache-control: max-age=0, private, must-revalidate, no-transform
content-disposition: attachment; filename="{repo}-main.tar.gz"; filename*=UTF-8''{repo}-main.tar.gz
last-modified: Mon, 23 Jun 2025 22:20:43 GMT
link: <https://{hostname}/api/v1/repos{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78>; rel="immutable"
no-gzip-compression: 1
set-cookie: session=fe2e418eb5a7a3fd; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _csrf=Ylk7fhmB5R1FCoTGyC7ax5Y4ebQ6MTc1MDgwNjQzMTIzMzcwMTc4Mw; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

Tools like nix flake lock will use the url from link header for reproducibility. It however does not work:

$ curl -I https://{hostname}/api/v1/repos/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78
HTTP/2 405
server: nginx
date: Tue, 24 Jun 2025 23:11:22 GMT
allow: GET
cache-control: max-age=0, private, must-revalidate, no-transform
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

$ curl https://{hostname}/api/v1/repos/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78
{"errors":null,"message":"The target couldn't be found.","url":"https://{hostname}/api/swagger"}

Interestingly however it works when I use the non-/api/v1/repos/ endpoint:

$ curl https://{hostname}/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78
Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.

As such I assume this bug is #8649 / #33127 not applying to /api/ endpoints.

Gitea Version

1.24.0

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

From the demo instance:

$ curl -I https://demo.gitea.com/pbsds/asd/archive/main.zip
HTTP/2 200
accept-ranges: bytes
access-control-expose-headers: Content-Disposition
alt-svc: h3=":443"; ma=2592000
cache-control: max-age=0, private, must-revalidate, no-transform
content-disposition: attachment; filename="asd-main.zip"; filename*=UTF-8''asd-main.zip
content-type: application/octet-stream
date: Tue, 24 Jun 2025 23:26:13 GMT
last-modified: Tue, 24 Jun 2025 23:26:12 GMT
link: <https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d>; rel="immutable"
no-gzip-compression: 1
server: Caddy
set-cookie: i_like_gitea=f8abf4e28a620ef7; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _csrf=_0iXbqCgf9umvJNC56urX0Bf7cA6MTc1MDgwNzU2ODc2NDI5MDcwMA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 286

$ curl -I http://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
Server: Caddy
Date: Tue, 24 Jun 2025 23:26:23 GMT

$ curl -I https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
HTTP/2 405
allow: GET
alt-svc: h3=":443"; ma=2592000
cache-control: max-age=0, private, must-revalidate, no-transform
date: Tue, 24 Jun 2025 23:26:43 GMT
server: Caddy
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

$ curl https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
{"errors":null,"message":"not found","url":"https://demo.gitea.com/api/swagger"}

Git Version

No response

Operating System

No response

How are you running Gitea?

We use the nixos module which in turn uses nginx

Database

PostgreSQL

[wxiaoguang]

2 problems here:

1. API doesn't support HEAD request
2. API doesn't support anonymous user to read a private repo with public access

[wxiaoguang]

-> Fix archive API #34853