go-gitea · lunny · Jan 27, 2025 · Jan 23, 2025 · Jan 24, 2025 · Jan 26, 2025
diff --git a/services/auth/auth.go b/services/auth/auth.go
@@ -32,6 +32,11 @@ func isAttachmentDownload(req *http.Request) bool {
 	return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
 }
 
+// isFeed checks if the request targets a rss/atom feed
+func isFeed(req *http.Request) bool {
+	return strings.HasSuffix(req.URL.Path, ".rss") || strings.HasSuffix(req.URL.Path, ".atom")
+}
+
 // isContainerPath checks if the request targets the container endpoint
 func isContainerPath(req *http.Request) bool {
 	return strings.HasPrefix(req.URL.Path, "/v2/")

diff --git a/services/auth/basic.go b/services/auth/basic.go
@@ -48,8 +48,8 @@ func (b *Basic) Name() string {
 // name/token on successful validation.
 // Returns nil if header is empty or validation fails.
 func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
-	// Basic authentication should only fire on API, Download or on Git or LFSPaths
-	if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
+	// Basic authentication should only fire on API, rss/atom feeds, Download or on Git or LFSPaths
+	if !middleware.IsAPIPath(req) && !isFeed(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
 		return nil, nil
 	}