feat: make metadata/manifest API endpoint publicly accessible without auth #676

New Issue

Closed

opened 2026-06-21 14:55:17 +00:00 by jmiller · 0 comments

jmiller commented 2026-06-21 14:55:17 +00:00

Owner

Copy Link

Copy Source

Summary

The /repos/{owner}/{repo}/metadata (and /manifest) GET endpoint currently requires reqRepoReader authentication. It should be accessible anonymously for public repos, similar to how badges work.

Motivation

• CI workflows need to read platform type without a token (for platform-conditional logic in pre-release.yml)
• Package registries need to discover version info
• Public tooling (MCP servers, CLI) should read metadata without auth
• Metadata doesn't contain sensitive info — just version, platform, element name, etc.

Current Behavior

m.Combo("/metadata", reqRepoReader(unit.TypeCode)).
    Get(repo.GetRepoMetadata).
    Put(reqToken(), reqAdmin(), repo.UpdateRepoMetadata)

Anonymous GET to /api/v1/repos/{owner}/{repo}/metadata returns 403 even for public repos.

Desired Behavior

• GET /metadata and /manifest: No auth required for public repos (anonymous access)
• PUT /metadata and /manifest: Still requires token + admin (unchanged)

Implementation

In routers/api/v1/api.go ~line 1483, change from Combo to separate routes:

m.Get("/metadata", repo.GetRepoMetadata)
m.Put("/metadata", reqToken(), reqAdmin(), repo.UpdateRepoMetadata)
m.Get("/manifest", repo.GetRepoMetadata) // backward compat
m.Put("/manifest", reqToken(), reqAdmin(), repo.UpdateRepoMetadata)

This removes reqRepoReader from the GET path. The repo context resolution middleware still handles private vs public repo visibility at a higher level.

## Summary The `/repos/{owner}/{repo}/metadata` (and `/manifest`) GET endpoint currently requires `reqRepoReader` authentication. It should be accessible anonymously for public repos, similar to how badges work. ## Motivation - CI workflows need to read platform type without a token (for platform-conditional logic in pre-release.yml) - Package registries need to discover version info - Public tooling (MCP servers, CLI) should read metadata without auth - Metadata doesn't contain sensitive info — just version, platform, element name, etc. ## Current Behavior ```go m.Combo("/metadata", reqRepoReader(unit.TypeCode)). Get(repo.GetRepoMetadata). Put(reqToken(), reqAdmin(), repo.UpdateRepoMetadata) ``` Anonymous GET to `/api/v1/repos/{owner}/{repo}/metadata` returns 403 even for public repos. ## Desired Behavior - **GET** `/metadata` and `/manifest`: No auth required for public repos (anonymous access) - **PUT** `/metadata` and `/manifest`: Still requires token + admin (unchanged) ## Implementation In `routers/api/v1/api.go` ~line 1483, change from `Combo` to separate routes: ```go m.Get("/metadata", repo.GetRepoMetadata) m.Put("/metadata", reqToken(), reqAdmin(), repo.UpdateRepoMetadata) m.Get("/manifest", repo.GetRepoMetadata) // backward compat m.Put("/manifest", reqToken(), reqAdmin(), repo.UpdateRepoMetadata) ``` This removes `reqRepoReader` from the GET path. The repo context resolution middleware still handles private vs public repo visibility at a higher level.

jmiller referenced this issue from a commit 2026-06-21 15:03:49 +00:00

feat: make metadata/manifest GET endpoint publicly accessible (#676)

jmiller referenced this issue 2026-06-21 15:07:58 +00:00

feat: make metadata/manifest GET endpoint publicly accessible (#676) #677

jmiller referenced this issue from a commit 2026-06-21 15:11:36 +00:00

feat: make metadata/manifest GET endpoint publicly accessible (#676)

jmiller referenced a pull request that will close this issue 2026-06-21 15:11:49 +00:00

feat: make metadata/manifest GET endpoint publicly accessible (#676) #678

jmiller referenced this issue from a commit 2026-06-21 15:18:13 +00:00

feat: make metadata/manifest GET endpoint publicly accessible (#676)

jmiller referenced a pull request that will close this issue 2026-06-21 15:18:48 +00:00

feat: make metadata/manifest GET endpoint publicly accessible (#676) #679

jmiller referenced this issue from a commit 2026-06-21 15:21:58 +00:00

feat: make metadata/manifest GET endpoint publicly accessible (#676)

jmiller closed this issue 2026-06-21 15:38:45 +00:00

jmiller referenced this issue 2026-06-21 22:24:47 +00:00

Release: Wiki system, licensing, issue statuses, metadata API #682

Sign in to join this conversation.

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

feature: wiki

Wiki system enhancements

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

No labels

Priority Medium

Type Feature

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#676