Requiring Forms authentication to list/download packages

I’m trying to secure a gallery (both the user-visible website and the api) and will not be able to use windows authentication. I’d like to limit package listing and download to the accounts that people can register for on the site. I tried setting things up as forms authentication with the following configuration entry, but after filling in my account info on the /users/account/logon page and hitting submit, I get redirected back to the logon page.

<authentication mode="Forms">
  <forms loginUrl="/users/account/Logon"/>
</authentication>
<authorization>
  <deny users="?" />
</authorization>

From a quick look at the gallery code, the LogOn() method on AuthenticationController uses SignIn() as the method to take the posted information, which doesn’t seem to play nicely with Forms authentication. If I rename the SignIn() method to LogOn(), Forms authentication and requiring a logon works for the website, but api access (via the Visual Studio Extension) never prompts me to log-on, it just sits there spinning.

I haven’t tracked down exactly what’s going on with the Visual Studio Extension yet, but I wanted to check to see if there’s an easier option to turn off anonymous listing/downloading of packages that I just didn’t see documented before I dug into the issue further.