`docker login` seems to succeed with basic auth even when 2FA is enabled

[1e100]

Description

docker login seems to be succeeding with "basic" auth even though 2FA is enabled on the account. I was a bit surprised by that. Notably, this also reproduces on the Gitea demo site.

I then started looking into the documentation on how to create a PAT here: https://docs.gitea.com/development/api-usage#authentication. This does not seem to work either. The OTP-less first suggestion results in {"message":"Only signed in user is allowed to call APIs."}, the one with OTP results in [] (empty JSON list).

Finally, going into the UI as the instructions suggest is not helpful either, since it is not at all clear what permissions such a PAT would need for read-only and read-write access.

So there seem to be several issues here:

1. docker login should not succeed if account has 2FA enabled on it
2. Instructions for how to create a PAT should probably be updated
3. Documentation is needed for the minimal permission set required to only pull, and to pull+push to the Docker registry.

Gitea Version

1.20.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker compose using your downloads. But this reproduces on try.gitea.io as well.

Database

None

[KN4CK3R]

How do you use docker login? With a PAT or user/password. The container code does not verify auth by itself but uses the methods all other api endpoints use.

[1e100]

Then all other APIs are also similarly impacted. Enabling 2FA should mean that only PAT is available for auth. And there should be documentation on how to issue the PAT so that it's not overly broad in its permissions, at least for the common use cases such as the Docker registry pull/push.

[1e100]

IOW a login/password is like a PAT that has every possible permission for that user and cannot be restricted. That is problematic IMO