api/v1: match auth scheme case-insensitively (octokit sends lowercase 'bearer') — fixes metadata-action 401 on private repos

1f1d9e9 · gmorell · 2026-07-02 23:22

1 files +8 -19

Files changed

modified lib/git_gud_web/controllers/api/v1/repository_controller.ex
+8 −19
@@ -49,24 +49,9 @@ defmodule GitGudWeb.Api.V1.RepositoryController do
49 49 end
50 50
51 51 defp authorized?(conn, repo) do
52 ok = repo.visibility in ["public", "internal"] or runner_token_for?(conn, repo)
53
54 unless ok do
55 require Logger
56 scheme = get_req_header(conn, "authorization") |> List.first() |> auth_scheme()
57 verify = with t when is_binary(t) <- bearer_token(conn), do: RunnerJwt.verify(t)
58
59 Logger.warning(
60 "API-AUTH deny repo=#{repo.id} vis=#{repo.visibility} scheme=#{inspect(scheme)} verify=#{inspect(verify)}"
61 )
62 end
63
64 ok
52 + repo.visibility in ["public", "internal"] or runner_token_for?(conn, repo)
65 53 end
66 54
67 defp auth_scheme(nil), do: nil
68 defp auth_scheme(hdr), do: hdr |> String.split(" ", parts: 2) |> List.first()
69
70 55 defp runner_token_for?(conn, repo) do
71 56 with tok when is_binary(tok) <- bearer_token(conn),
72 57 {:ok, %{"pid" => pid}} <- RunnerJwt.verify(tok) do
@@ -76,10 +61,14 @@ defmodule GitGudWeb.Api.V1.RepositoryController do
76 61 end
77 62 end
78 63
64 + # Match the scheme case-insensitively: octokit (docker/metadata-action)
65 + # sends a lowercase `bearer`, and git sent lowercase `basic` too.
79 66 defp bearer_token(conn) do
80 case get_req_header(conn, "authorization") do
81 ["token " <> t | _] -> t
82 ["Bearer " <> t | _] -> t
67 + with [hdr | _] <- get_req_header(conn, "authorization"),
68 + [scheme, tok] <- String.split(hdr, " ", parts: 2),
69 + true <- String.downcase(scheme) in ["bearer", "token"] do
70 + tok
71 + else
83 72 _ -> nil
84 73 end
85 74 end

Parents: cda8dd3