gitea-refactor-auth-middleware

Based on#36848
SegmentDesign-and-build
Typemigration
## Task

We need to improve how the web framework decides which auth methods to attempt on each request; the current approach is brittle. Fix how the framework routes these auth methods so they work reliably across endpoints. As a deliberate user-visible consequence, the workflow status badge endpoint should now respond to Basic auth and OAuth2 tokens in addition to the existing browser session cookie, and existing endpoints that authenticate via Basic auth should continue to do so without regression.

## User stories / requirements

- A repository's workflow status badge URL on a private repository now responds to Basic auth and OAuth2 personal access token credentials, in addition to the previously-supported browser session cookie. CI workers and other non-browser clients can finally embed the badge image in private READMEs. Without any credentials, the URL still returns 404 because the repo is private.
- Repository feed URLs (the .rss and .atom variants) authenticate Basic auth on private repositories. Non-browser feed readers and scripts that subscribe to private repo feeds depend on this.
- Repository archive downloads and raw blob URLs authenticate Basic auth on private repositories. Build pipelines and `curl`-based fetch scripts depend on these endpoints.

## General instructions

- The code repo is at /repo/gitea.
- You are inside of a Docker container. You may not be able to perform all operations you would normally be able to do on a local machine. Dependencies have not been pre-installed, and you may need to install them yourself.
- You are expected to act autonomously as a software engineer to complete tasks you are given.
- Do not stop until you feel you have completed the task and your code changes can be merged.
- You may need to use software engineering skills like analyzing the codebase, researching technologies, running services, analyzing logs, etc. to complete the task. Not all tasks will be solvable by reading source code alone.

Agent Results

AgentTastefulBasicVerifierValidationRubricBloatPractTasteCheated
Oracle
4/43/31.001.0x5.04.0
Gemini 3.5 Flash
4/43/30.800.0x5.04.0
GLM-5.2
4/43/30.800.1x4.03.0
GPT-5.4
4/43/30.800.1x5.04.0
GPT-5.5
4/43/30.800.1x5.05.0
Kimi K2.6
4/43/30.800.1x5.04.0
Opus 4.7
4/43/31.000.2x4.03.0
Opus 4.8
4/43/30.800.0x5.04.0
Gemini 3.1 Pro
1/41/31.000.2x3.03.0
Sonnet 4.6
1/41/31.000.2x4.02.0
Sonnet 5
No-Op
1/42/30.40
Agent details

Verifier Tests

Gemini 3.1 Pro1/4

Validation Stories

Gemini 3.1 Pro1/3

Rubric Criteria

Gemini 3.1 Pro5/5
Fail → Pass
workflow_badge_accepts_basic_auth
workflow_badge_accepts_oauth2_token
auth_middleware_refactored_to_route_level_markers
Pass → Pass
feed_endpoints_preserve_basic_auth
archive_and_raw_endpoints_preserve_basic_auth

Taste Scores

Patch Bloat0.2x
71 agent / 376 oracle SLOC, 4 / 21 files(raw: 0.3x)
Practice Alignment — 3.0/5
3
style consistency
3
pattern adherence
4
library usage
3
abstraction level
3
documentation fit
Relative Taste — 3.0/5
3
minimality
3
approach quality
3
hygiene
3
fluency
2
craftsmanship

Agent Patch