api/v1: log why repo read is denied (diagnose metadata-action 401)
cda8dd3 · gmorell · 2026-07-02 23:06
Files changed
modified
lib/git_gud_web/controllers/api/v1/repository_controller.ex
+16
−1
@@ -49,9 +49,24 @@ defmodule GitGudWeb.Api.V1.RepositoryController do
| 49 | 49 | end |
| 50 | 50 | |
| 51 | 51 | defp authorized?(conn, repo) do |
| 52 | − repo.visibility in ["public", "internal"] or runner_token_for?(conn, repo) | |
| 52 | + ok = repo.visibility in ["public", "internal"] or runner_token_for?(conn, repo) | |
| 53 | + | |
| 54 | + unless ok do | |
| 55 | + require Logger | |
| 56 | + scheme = get_req_header(conn, "authorization") |> List.first() |> auth_scheme() | |
| 57 | + verify = with t when is_binary(t) <- bearer_token(conn), do: RunnerJwt.verify(t) | |
| 58 | + | |
| 59 | + Logger.warning( | |
| 60 | + "API-AUTH deny repo=#{repo.id} vis=#{repo.visibility} scheme=#{inspect(scheme)} verify=#{inspect(verify)}" | |
| 61 | + ) | |
| 62 | + end | |
| 63 | + | |
| 64 | + ok | |
| 53 | 65 | end |
| 54 | 66 | |
| 67 | + defp auth_scheme(nil), do: nil | |
| 68 | + defp auth_scheme(hdr), do: hdr |> String.split(" ", parts: 2) |> List.first() | |
| 69 | + | |
| 55 | 70 | defp runner_token_for?(conn, repo) do |
| 56 | 71 | with tok when is_binary(tok) <- bearer_token(conn), |
| 57 | 72 | {:ok, %{"pid" => pid}} <- RunnerJwt.verify(tok) do |
Parents: 7136ebc