"Download tarball" gives an error ("error: authorization required to access package") when authenticated

When browsing the registry with Verdaccio’s webui and logged in with an authenticated account, the “Download tarball” link does not works and I get an HTTP 401 errror with the following message:

{
  "error": "authorization required to access package @acme/acme-foo"
}

However, the access with npm (and a logged in user) works correctly.

Here is the server log for npm install @acme/acme-corp:

  debug--- [local-storage/readTarball] read a tarball for package: acme-foo-1.2.0-RC.2019.1.3.tgz
  http <-- 200, user: client01(192.168.251.209), req: 'GET /@acme%2facme-foo/-/acme-foo-1.2.0-RC.2019.1.3.tgz', bytes: 0/48585

And here is the log when accessing the package with the webui and logged with user client01:

  info <-- 192.168.251.209 requested 'GET /@acme%2facme-foo/-/acme-foo-1.2.0-RC.2019.1.3.tgz'
  http <-- 401, user: null(192.168.251.209), req: 'GET /@acme%2facme-foo/-/acme-foo-1.2.0-RC.2019.1.3.tgz', error: authorization required to access package @acme/acme-foo

The HTTP request made by the webui seems to correctly have the Authorization: Bearer <token> header but the server log does not reports the request as being authenticated with user client01 and reports the user as null.

I’m using the htpasswd authentication plugin:

auth:
    htpasswd:
        file: data/conf/htpasswd
        max_users: -1

Here is the content of my packages: access control directive:

packages:
    '@acme/*':
        access: $authenticated
        publish: admin

If I set access: $all, then the “download tarball” link works in the webui.

I tried this on verdaccio v4.0.1 and v4.3.3, and both reports a HTTP 401 when downloading the package with the “Download tarball” link.

Does anyone else also noticed this error