Personal token 401 with packages

Hello,

Does anyone else struggle with the personal access tokens?

We have used these on our project for a while now, but they suddenly stopped working with the nuget package manager or even in curl they return a 401. Has anything changed in the way it should be used, or did it break during an update maybe?

here is the CURL:

curl --header “PRIVATE-TOKEN: pth9hTktju5P5vUmXGMq” “https://gitlab.com/api/v4/projects/21186824/packages/nuget/index.json

If any one has some answers for me, that would be really appreciated!

Never had any issues, unless of course the access-token was created with an expiry date and has now been deleted from the system. Could be a reason for it.

Hi iwalker,

No expiry date, I’ve even tried with new tokens but nothing seems to work anymore.

Nothing changed in the repo or the token so that leads me to think that something changed within gitlab itself.

Can you try the curl method using the -v parameter, we can get some more verbose output of what is happening.

Sure:

curl --header -v "PRIVATE-TOKEN: my-token" "https://gitlab.com/api/v4/projects/21186824/packages/nuget/index.json"
curl: (3) Port number ended with ' '
{"message":"401 Unauthorized"}

OK, just to rule out a permission issue on scopes, can you try this:

curl --header "PRIVATE-TOKEN: your-token-here" "https://gitlab.com/api/v4/projects/21186824

and see if we get some json response. Also, please edit your posts and remove the actual API token, as it’s possible to authenticate to your repo with it - at least when I used my URL to just the particular project ID without going deeper. Please replace with “my-token” or similar.

From my quick test, I believe there is a permission/scope issue with what the access-token has access to.

Thanks for the heads up about the clear token, I couldn’t edit the first post so I revoked all the tokens I had and created a new one.

Removing the

/packages/nuget/index.json

part seems to work if I do

curl --header “PRIVATE-TOKEN: my-toekn” “https://gitlab.com/api/v4/projects/21186824

Here is the response I’m getting :

{
“id”: 21186824,
“description”: “THIS IS A PLACEHOLDER PROJECT USED TO ACT AS A COMMON NUGET REPOSITORY\r\n\r\nDO NOT USE OR DELETE THE REPOSITORY”,
“name”: “nugets”,
“name_with_namespace”: “REMOVED”,
“path”: “REMOVED”,
“path_with_namespace”: “REMOVED”,
“created_at”: “2020-09-17T06:26:07.259Z”,
“default_branch”: “master”,
“tag_list”: ,
“ssh_url_to_repo”: “git@gitlab.com:REMOVED”,
“http_url_to_repo”: “REMOVED”,
“web_url”: “REMOVED”,
“readme_url”: “REMOVED”,
“avatar_url”: “REMOVED”,
“forks_count”: 0,
“star_count”: 0,
“last_activity_at”: “2020-09-18T08:41:21.898Z”,
“namespace”: {
“id”: 9033642,
“name”: “REMOVED”,
“path”: “REMOVED”,
“kind”: “group”,
“full_path”: “REMOVED”,
“parent_id”: null,
“avatar_url”: “REMOVED”,
“web_url”: “REMOVED”
},
“_links”: {
“self”: “https://gitlab.com/api/v4/projects/21186824”,
“issues”: “https://gitlab.com/api/v4/projects/21186824/issues”,
“merge_requests”: “https://gitlab.com/api/v4/projects/21186824/merge_requests”,
“repo_branches”: “https://gitlab.com/api/v4/projects/21186824/repository/branches”,
“labels”: “https://gitlab.com/api/v4/projects/21186824/labels”,
“events”: “https://gitlab.com/api/v4/projects/21186824/events”,
“members”: “https://gitlab.com/api/v4/projects/21186824/members
},
“packages_enabled”: true,
“empty_repo”: false,
“archived”: false,
“visibility”: “private”,
“resolve_outdated_diff_discussions”: false,
“container_registry_enabled”: true,
“container_expiration_policy”: {
“cadence”: “1d”,
“enabled”: true,
“keep_n”: 10,
“older_than”: “90d”,
“name_regex”: null,
“name_regex_keep”: null,
“next_run_at”: “2020-10-21T04:10:05.015Z”
},
“issues_enabled”: true,
“merge_requests_enabled”: true,
“wiki_enabled”: true,
“jobs_enabled”: true,
“snippets_enabled”: true,
“service_desk_enabled”: true,
“service_desk_address”: “REMOVED”,
“can_create_merge_request_in”: true,
“issues_access_level”: “enabled”,
“repository_access_level”: “enabled”,
“merge_requests_access_level”: “enabled”,
“forking_access_level”: “enabled”,
“wiki_access_level”: “enabled”,
“builds_access_level”: “enabled”,
“snippets_access_level”: “enabled”,
“pages_access_level”: “private”,
“operations_access_level”: “enabled”,
“analytics_access_level”: “enabled”,
“emails_disabled”: null,
“shared_runners_enabled”: true,
“lfs_enabled”: true,
“creator_id”: 6807971,
“import_status”: “none”,
“import_error”: null,
“open_issues_count”: 0,
“runners_token”: “REMOVED”,
“ci_default_git_depth”: 50,
“ci_forward_deployment_enabled”: true,
“public_jobs”: true,
“build_git_strategy”: “fetch”,
“build_timeout”: 3600,
“auto_cancel_pending_pipelines”: “enabled”,
“build_coverage_regex”: null,
“ci_config_path”: “”,
“shared_with_groups”: ,
“only_allow_merge_if_pipeline_succeeds”: false,
“allow_merge_on_skipped_pipeline”: null,
“restrict_user_defined_variables”: false,
“request_access_enabled”: true,
“only_allow_merge_if_all_discussions_are_resolved”: false,
“remove_source_branch_after_merge”: true,
“printing_merge_request_link_enabled”: true,
“merge_method”: “merge”,
“suggestion_commit_message”: null,
“auto_devops_enabled”: false,
“auto_devops_deploy_strategy”: “continuous”,
“autoclose_referenced_issues”: true,
“external_authorization_classification_label”: “”,
“requirements_enabled”: false,
“security_and_compliance_enabled”: false,
“compliance_frameworks”: ,
“permissions”: {
“project_access”: null,
“group_access”: {
“access_level”: 50,
“notification_level”: 3
}
}
}

As soon as I add the packages part I get back to the 401 this time with a different message:

*   Trying 172.65.251.78...
  • TCP_NODELAY set
  • Connected to gitlab.com (172.65.251.78) port 443 (#0)
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 1/3)
  • schannel: checking server certificate revocation
  • schannel: sending initial handshake data: sending 181 bytes…
  • schannel: sent initial handshake data: sent 181 bytes
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
  • schannel: failed to receive handshake, need more data
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
  • schannel: encrypted data got 2048
  • schannel: encrypted data buffer: offset 2048 length 4096
  • schannel: encrypted data length: 1972
  • schannel: encrypted data buffer: offset 1972 length 4096
  • schannel: received incomplete message, need more data
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
  • schannel: encrypted data got 2124
  • schannel: encrypted data buffer: offset 4096 length 4096
  • schannel: received incomplete message, need more data
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
  • schannel: encrypted data got 1024
  • schannel: encrypted data buffer: offset 5120 length 5120
  • schannel: encrypted data length: 96
  • schannel: encrypted data buffer: offset 96 length 5120
  • schannel: received incomplete message, need more data
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
  • schannel: encrypted data got 218
  • schannel: encrypted data buffer: offset 314 length 5120
  • schannel: sending next handshake data: sending 93 bytes…
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
  • schannel: encrypted data got 258
  • schannel: encrypted data buffer: offset 258 length 5120
  • schannel: SSL/TLS handshake complete
  • schannel: SSL/TLS connection with gitlab.com port 443 (step 3/3)
  • schannel: stored credential handle in session cache

GET /api/v4/projects/21186824/packages/nuget/index.json HTTP/1.1
Host: gitlab.com
User-Agent: curl/7.55.1
Accept: /
PRIVATE-TOKEN: my-token

  • schannel: client wants to read 102400 bytes
  • schannel: encdata_buffer resized 103424
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: encrypted data got 1058
  • schannel: encrypted data buffer: offset 1058 length 103424
  • schannel: decrypted data length: 1029
  • schannel: decrypted data added: 1029
  • schannel: decrypted data cached: offset 1029 length 102400
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: decrypted data buffer: offset 1029 length 102400
  • schannel: schannel_recv cleanup
  • schannel: decrypted data returned 1029
  • schannel: decrypted data buffer: offset 0 length 102400
    < HTTP/1.1 401 Unauthorized
    < Date: Fri, 12 Feb 2021 10:37:57 GMT
    < Content-Type: application/json
    < Content-Length: 30
    < Connection: keep-alive
    < Set-Cookie: __cfduid=da61ba1bc9c9e20553d1393d52b894d351613126277; expires=Sun, 14-Mar-21 10:37:57 GMT; path=/; domain=.gitlab.com; HttpOnly; SameSite=Lax; Secure
    < Cache-Control: no-cache
    < Vary: Origin
    < Www-Authenticate: Basic realm=“GitLab Packages Registry”
    < X-Content-Type-Options: nosniff
    < X-Frame-Options: SAMEORIGIN
    < X-Gitlab-Feature-Category: package_registry
    < X-Request-Id: 01EYAX36AD92BA5SH2JCK04CYF
    < X-Runtime: 0.014962
    < RateLimit-Observed: 6
    < RateLimit-Remaining: 1994
    < RateLimit-Reset: 1613126337
    < RateLimit-ResetTime: Fri, 12 Feb 2021 10:38:57 GMT
    < RateLimit-Limit: 2000
    < GitLab-LB: fe-08-lb-gprd
    < GitLab-SV: localhost
    < CF-Cache-Status: DYNAMIC
    < cf-request-id: 08376aafb8000004820b9ba000000001
    < Expect-CT: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    < Server: cloudflare
    < CF-RAY: 6205ad5f8c3f0482-CDG
    <
    {“message”:“401 Unauthorized”}* Connection #0 to host gitlab.com left intact

OK, since it worked from the link without packages/nuget/index.json that means we can say the API is working. I’m assuming when you created the access-token, the permissions you assigned were API?

I can only think that it’s either a permission issue, or the actual API command has changed in terms of what you are attempting to do, and would need to be checked/verified against the API docs. I believe once you do this, it will work perfectly again.

After digging a bit deeper I can see that adding the /packages doesn’t seem to be an issue but the remaining part of the URL triggers a new credential request even tho the token is present within the headers as you can see in the attached gif:

Looking at the documentation I’m not seeing what I might be doing wrong:

1 Like

I have the same issue.
When using the NuGet CLI it’ll ask me always for username/password even if a token is specified. That’s pretty much an issue for non-user tokens (like project tokens or CI).

1 Like

Ok, I read the API docu again and it says (at least for nuget) you have to use usernam/password combination. But for me even a deploy token (which is explicitly mentioned in the docu) does not work. :frowning:

1 Like

It’s been a year, has anyone come up with solutions to this problem. I’m encountering the same thing - getting a Basic Auth prompt resulting in 401: Unauthorized response

Yeah, I’d like to put my +1 here also. Running into the same issue, not being able to access the package repository. I tried with mutliple access tokens (personal + project) with all scopes selected, but no luck. Also when calling the project url without the packages subpath, a json with info is returned, /packages/ also still works, but adding nuget and more fails everything

+1 here also - just wasted 2d setting up CI on a .net repo, trying to get nuget working, assuming that the prb was somehow at my end - wrong username etc.

So, after a long support back and forth, I finally figured out all the pitfalls and got it working;

.\nuget source Add -Name RepoName -Source "https://git.gitlab.com/api/v4/projects/54/packages/nuget/index.json" -UserName [USERNAME FROM ACCOUNT PAGE] -Password [AUTHORIZATION TOKEN WITH API SCOPE]

So, the username, it is NOT the name of the token. it is also NOT the email you use when logging in on gitlab (if that is what you do, like I am)

This username can be found when going to your profile in gitlab and going to the Account tab.

Next potential pitfall: The token you use must have the scope api

And then finally, the project id. it is a number, it is not the name of the project.

I hope this helps others

1 Like

Were you able to figure out what was causing it? I have the same issue

The information related to the username was helpful to me.