Allow Basic Auth for downloading Generic Packages
Release notes
Allow authentication to the Generic Packages API to download packages using Basic Authentication. This makes the feature much more useful for situations that do not allow adding headers or query strings.
Problem to solve
GitLab's new "Generic Packages" feature is very useful for storing packages for any package manager that does not yet have built-in support, but right now it can only be used with header-based or query-string-based authentication, which severely limits its usefulness for many cases.
For example, Carthage can only use Basic Auth (via .netrc
) to authenticate for downloading binary frameworks. Apple is also in the process of adding .netrc
support to SPM.
Proposal
Allow the Generic Packages API endpoint to accept credentials using Basic Auth.
This has already been done for most of the other package repositories, including:
- Composer (&3096 (closed))
- Conan (in !14864 (merged), later modified in other MRs but still supported)
- Debian (in #5835)
- Go (gitlab-foss!23497 (merged))
- Nuget (!20825 (merged) and !31035 (merged))
- PyPI (#210073 (closed) and !31035 (merged))
Intended users
User experience goal
The user should be able to download Generic Packages using tools that only support Basic Authentication.
Permissions and Security
No permission changes are required. Only users who already have permission to download packages will still be able to download them.
Documentation
The documentation for Generic Packages currently says that it can only use the regular API authentication mechanism. It will need to be changed to say that Basic Authentication can also be used.