api/v1: log why repo read is denied (diagnose metadata-action 401)

cda8dd3 · gmorell · 2026-07-02 23:06

1 files +16 -1

Files changed

modified lib/git_gud_web/controllers/api/v1/repository_controller.ex
+16 −1
@@ -49,9 +49,24 @@ defmodule GitGudWeb.Api.V1.RepositoryController do
49 49 end
50 50
51 51 defp authorized?(conn, repo) do
52 repo.visibility in ["public", "internal"] or runner_token_for?(conn, repo)
52 + ok = repo.visibility in ["public", "internal"] or runner_token_for?(conn, repo)
53 +
54 + unless ok do
55 + require Logger
56 + scheme = get_req_header(conn, "authorization") |> List.first() |> auth_scheme()
57 + verify = with t when is_binary(t) <- bearer_token(conn), do: RunnerJwt.verify(t)
58 +
59 + Logger.warning(
60 + "API-AUTH deny repo=#{repo.id} vis=#{repo.visibility} scheme=#{inspect(scheme)} verify=#{inspect(verify)}"
61 + )
62 + end
63 +
64 + ok
53 65 end
54 66
67 + defp auth_scheme(nil), do: nil
68 + defp auth_scheme(hdr), do: hdr |> String.split(" ", parts: 2) |> List.first()
69 +
55 70 defp runner_token_for?(conn, repo) do
56 71 with tok when is_binary(tok) <- bearer_token(conn),
57 72 {:ok, %{"pid" => pid}} <- RunnerJwt.verify(tok) do

Parents: 7136ebc