Prevent Authorization header for presigned LFS urls (#21531) (#21569)

KN4CK3R · lunny · web-flow · commit 6b7ce726c21f · 2022-10-24T11:18:31.000+08:00
Backport of #21531 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
diff --git a/services/lfs/server.go b/services/lfs/server.go
@@ -438,14 +438,21 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa
 		}
 
 		if download {
-			rep.Actions["download"] = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}
+			var link *lfs_module.Link
 			if setting.LFS.ServeDirect {
 				// If we have a signed url (S3, object storage), redirect to this directly.
 				u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid)
 				if u != nil && err == nil {
-					rep.Actions["download"] = &lfs_module.Link{Href: u.String(), Header: header}
+					// Presigned url does not need the Authorization header
+					// https://github.com/go-gitea/gitea/issues/21525
+					delete(header, "Authorization")
+					link = &lfs_module.Link{Href: u.String(), Header: header}
 				}
 			}
+			if link == nil {
+				link = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}
+			}
+			rep.Actions["download"] = link
 		}
 		if upload {
 			rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header}

Original file line number	Diff line number	Diff line change
`@@ -438,14 +438,21 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa`
`438`	`438`	`}`
`439`	`439`
`440`	`440`	`if download {`
`441`		`- rep.Actions["download"] = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}`
	`441`	`+ var link *lfs_module.Link`
`442`	`442`	`if setting.LFS.ServeDirect {`
`443`	`443`	`// If we have a signed url (S3, object storage), redirect to this directly.`
`444`	`444`	`u, err := storage.LFS.URL(pointer.RelativePath(), pointer.Oid)`
`445`	`445`	`if u != nil && err == nil {`
`446`		`- rep.Actions["download"] = &lfs_module.Link{Href: u.String(), Header: header}`
	`446`	`+ // Presigned url does not need the Authorization header`
	`447`	`+ // https://github.com/go-gitea/gitea/issues/21525`
	`448`	`+ delete(header, "Authorization")`
	`449`	`+ link = &lfs_module.Link{Href: u.String(), Header: header}`
`447`	`450`	`}`
`448`	`451`	`}`
	`452`	`+ if link == nil {`
	`453`	`+ link = &lfs_module.Link{Href: rc.DownloadLink(pointer), Header: header}`
	`454`	`+ }`
	`455`	`+ rep.Actions["download"] = link`
`449`	`456`	`}`
`450`	`457`	`if upload {`
`451`	`458`	`rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header}`