Dependency proxy can be accessed with PATs that don't have the scopes `read_registry` and `write_registry`.

🔥 Problem

In the dependency proxy documentation, it is stated that:

You can authenticate using: A personal access token with the scope set to read_registry and write_registry.

That is not true.

I created a PAT with the following scopes:

As you can see, none of the read_ and write_ registry is selected.

Yet, I can freely access the dependency proxy:

$ docker login gdk.test:8000 -u "namespace170" -p "<token>"

Login Succeeded

$ docker pull gdk.test:8000/dp_access_tokens/dependency_proxy/containers/alpine:latest
latest: Pulling from dp_access_tokens/dependency_proxy/containers/alpine
Digest: sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
Status: Downloaded newer image for gdk.test:8000/dp_access_tokens/dependency_proxy/containers/alpine:latest
gdk.test:8000/dp_access_tokens/dependency_proxy/containers/alpine:latest

In other words, the PAT scopes are not enforced at all.

🚒 Solution

• Enforce the scopes during authentication. If possible do it during the $ docker login
• This might be a breaking change change as existing users could be using the dependency proxy without the proper scopes.

Alternative solution but even more breaking change : Add a dependency proxy scope for GitLab tokens (#336800).