diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index b430589cd2..b22df7637e 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -120,6 +120,24 @@ func verifyAuth(r *web.Route, authMethods []auth.Method) {
 	}
 	authGroup := auth.NewGroup(authMethods...)
 
+	r.Use(func(ctx *context.Context) {
+		var err error
+		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+		if err != nil {
+			log.Info("Failed to verify user: %v", err)
+			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
+			return
+		}
+		ctx.IsSigned = ctx.Doer != nil
+	})
+}
+
+func verifyContainerAuth(r *web.Route, authMethods []auth.Method) {
+	if setting.Service.EnableReverseProxyAuth {
+		authMethods = append(authMethods, &auth.ReverseProxy{})
+	}
+	authGroup := auth.NewGroup(authMethods...)
+
 	r.Use(func(ctx *context.Context) {
 		var err error
 		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
@@ -781,10 +799,7 @@ func ContainerRoutes() *web.Route {
 
 	r.Use(context.PackageContexter())
 
-	verifyAuth(r, []auth.Method{
-		&auth.Basic{},
-		&container.Auth{},
-	})
+	verifyContainerAuth(r, []auth.Method{&auth.Basic{}, &container.Auth{}})
 
 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)
 	r.Group("/token", func() {
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index c688679a67..d6aed416aa 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -172,7 +172,7 @@ func TestPackageContainer(t *testing.T) {
 
 			req := NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
 			// Setting the header explicitly instead of using AddBasicAuth to supply an invalid password.
-			req.Request.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("user2:very-invalid")))
+			req.SetBasicAuth("user2", "very-invalid")
 			resp := MakeRequest(t, req, http.StatusUnauthorized)
 
 			assert.Equal(t, authenticate, resp.Header().Values("WWW-Authenticate"))
diff --git a/tests/integration/api_packages_maven_test.go b/tests/integration/api_packages_maven_test.go
index 9490d52890..74e7883443 100644
--- a/tests/integration/api_packages_maven_test.go
+++ b/tests/integration/api_packages_maven_test.go
@@ -254,6 +254,20 @@ func TestPackageMaven(t *testing.T) {
 		resp := MakeRequest(t, req, http.StatusOK)
 		assert.NotContains(t, resp.Body.String(), "Internal server error")
 	})
+
+	t.Run("Invalid credentials", func(t *testing.T) {
+		req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename))
+		req.SetBasicAuth(user.Name, "invalid")
+		resp := MakeRequest(t, req, http.StatusUnauthorized)
+
+		// Verify that headers from other package endpoints do not leak into the Maven registry. That Forgejo responds
+		// with 401 Unauthorized without including any WWW-Authenticate header is *wrong*, though.
+		assert.Empty(t, resp.Header().Values("WWW-Authenticate"))
+
+		// Verify that the request would work with correct credentials.
+		req.AddBasicAuth(user.Name)
+		MakeRequest(t, req, http.StatusOK)
+	})
 }
 
 func TestPackageMavenConcurrent(t *testing.T) {