401 reposonse has wrong HTTP headers

[hramrach]

Description

wget -SO- https://demo.gitea.com/api/v1/user
--2025-08-19 20:37:41--  https://demo.gitea.com/api/v1/user
Resolving demo.gitea.com (demo.gitea.com)... 52.40.189.212
Connecting to demo.gitea.com (demo.gitea.com)|52.40.189.212|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 401 Unauthorized
  Alt-Svc: h3=":443"; ma=2592000
  Cache-Control: max-age=0, private, must-revalidate, no-transform
  Content-Length: 75
  Content-Type: application/json;charset=utf-8
  Date: Tue, 19 Aug 2025 18:37:43 GMT
  Server: Caddy
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN

Username/Password Authentication Failed.

From what I can see the response sent to the user is neither 75 bytes long nor JSON. That makes the sent headers inconsistent with sent data

Gitea Version

1.25.0+dev-383-g463016b317

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Database

None

[leoalho]

Hi, the "Username/Password Authentication Failed." part is an automatic response from wget to requests that are responded with an error code 401. So it is not a bug with gitea, but instead a feature of wget.
If you call the endpoint with the --debug flag (or curl the endpoint), you'll see the response body, which is a JSON object with the proper length, here is the response I am getting:

 wget --debug -SO- https://demo.gitea.com/api/v1/user
Setting --server-response (serverresponse) to 1
Setting --output-document (outputdocument) to -
DEBUG output created by Wget 1.21.4 on linux-gnu.

Reading HSTS entries from /home/leo/.wget-hsts
URI encoding = ‘UTF-8’
--2025-08-24 00:32:17--  https://demo.gitea.com/api/v1/user
Resolving demo.gitea.com (demo.gitea.com)... 52.40.189.212, 2600:1f14:b94:3b00:f434:fb42:37d1:4d43
Caching demo.gitea.com => 52.40.189.212 2600:1f14:b94:3b00:f434:fb42:37d1:4d43
Connecting to demo.gitea.com (demo.gitea.com)|52.40.189.212|:443... connected.
Created socket 3.
Releasing 0x00005cf5418a5430 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00005cf5418fb750
certificate:
  subject: CN=demo.gitea.com
  issuer:  CN=E6,O=Let's Encrypt,C=US
X509 certificate successfully verified and matches host demo.gitea.com

---request begin---
GET /api/v1/user HTTP/1.1
Host: demo.gitea.com
User-Agent: Wget/1.21.4
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 401 Unauthorized
Alt-Svc: h3=":443"; ma=2592000
Cache-Control: max-age=0, private, must-revalidate, no-transform
Content-Length: 75
Content-Type: application/json;charset=utf-8
Date: Sat, 23 Aug 2025 21:32:20 GMT
Server: Caddy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

---response end---

  HTTP/1.1 401 Unauthorized
  Alt-Svc: h3=":443"; ma=2592000
  Cache-Control: max-age=0, private, must-revalidate, no-transform
  Content-Length: 75
  Content-Type: application/json;charset=utf-8
  Date: Sat, 23 Aug 2025 21:32:20 GMT
  Server: Caddy
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
Registered socket 3 for persistent reuse.
Skipping 75 bytes of body: [{"message":"token is required","url":"https://demo.gitea.com/api/swagger"}
] done.

Username/Password Authentication Failed.

[hramrach]

Indeed, the problem is wget misrepresenting the response without the debug flag.

Thanks for looking into this