From 52861bff24bbd0e9f3df84c1e781d8eb6a179844 Mon Sep 17 00:00:00 2001
From: kiwec <kiwec@kiwec.net>
Date: Tue, 10 Dec 2024 11:30:27 +0100
Subject: [PATCH] Allow anonymous Git LFS access for public repositories

---
 internal/route/lfs/route.go | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/internal/route/lfs/route.go b/internal/route/lfs/route.go
index 5ed7a6377e3..96f1b9a790f 100644
--- a/internal/route/lfs/route.go
+++ b/internal/route/lfs/route.go
@@ -48,17 +48,13 @@ func RegisterRoutes(r *macaron.Router) {
 // authenticate tries to authenticate user via HTTP Basic Auth. It first tries to authenticate
 // as plain username and password, then use username as access token if previous step failed.
 func authenticate(store Store) macaron.Handler {
-	askCredentials := func(w http.ResponseWriter) {
-		w.Header().Set("Lfs-Authenticate", `Basic realm="Git LFS"`)
-		responseJSON(w, http.StatusUnauthorized, responseError{
-			Message: "Credentials needed",
-		})
-	}
-
 	return func(c *macaron.Context) {
+		// dummy user to allow for unauthenticated read requests to public repositories
+		anonUser := database.User{ID: 0, Name: "Anonymous"}
+
 		username, password := authutil.DecodeBasic(c.Req.Header)
 		if username == "" {
-			askCredentials(c.Resp)
+			c.Map(&anonUser)
 			return
 		}
 
@@ -87,7 +83,7 @@ func authenticate(store Store) macaron.Handler {
 				user, err = context.AuthenticateByToken(store, c.Req.Context(), password)
 				if err != nil {
 					if database.IsErrAccessTokenNotExist(err) {
-						askCredentials(c.Resp)
+						c.Map(&anonUser)
 					} else {
 						c.Status(http.StatusInternalServerError)
 						log.Error("Failed to authenticate by access token via password: %v", err)
@@ -137,6 +133,14 @@ func authorize(store Store, mode database.AccessMode) macaron.Handler {
 				Private: repo.IsPrivate,
 			},
 		) {
+			if actor.ID == 0 {
+				c.Resp.Header().Set("Lfs-Authenticate", `Basic realm="Git LFS"`)
+				responseJSON(c.Resp, http.StatusUnauthorized, responseError{
+					Message: "Credentials needed",
+				})
+				return
+			}
+
 			c.Status(http.StatusNotFound)
 			return
 		}

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/gogs/gogs/pull/7858.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/gogs/gogs/pull/7858.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/gogs/gogs/pull/7858.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/gogs/gogs/pull/7858.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>