gitea: LFS pull fails on public SSH-cloned repo

• Gitea version (or commit ref): f17524b
• Git version: 2.17.1
• Operating system: official docker image
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

The problem is that one can’t even clone a repo with LFS over SSH if the repo isn’t private. ‘GIT_TRACE=1 GIT_CURL_VERBOSE=1 git lfs pull’ fails with ‘trace git-lfs: api error: Authentication required: Authorization error: https://example.com/gitea/user/repo.git/info/lfs/objects/batch’, which is indeed ‘HTTP/1.1 401 Unauthorized’.

It is the case because this fragment

		userID, ok := claims["user"].(float64)
		if !ok {
			return nil, r, opStr, fmt.Errorf("Token user id invalid")
		}

in modules/lfs/server.go (parseToken) gives an error.

From the other side command ‘ssh – git@example.com git-lfs-authenticate user/repo.git download’ returns auth token without ‘user’ field because this condition

if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView

in cmd/serv.go (runServ) is false. It is even false if one has ‘REQUIRE_SIGNIN_VIEW = true’ in his config, because noone initializes setting.Service.RequireSignInView (setting.newService() doesn’t get called I guess). Changing repo type to private solves the problem, but here is the bug anyway. I also think that initalizing RequireSignInView should be performed, but this is not a proper solution to the issue, since HTTPS cloning of public repo works fine with the same settings.