cuducos.me / at-container-registry
forked from evan.jarrett.net/at-container-registry
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix build pipeline. fix using wrong auth method when trying to push with app-password

Evan Jarrett 02fabc4a 5dff7590

+26 -16
+6 -6
.tangled/workflows/release.yml
··· 24 24 - name: Build and push AppView image 25 25 command: | 26 26 buildah bud \ 27 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-appview:${TANGLED_REF_NAME} \ 28 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-appview:latest \ 27 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/appview:${TANGLED_REF_NAME} \ 28 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/appview:latest \ 29 29 --file ./Dockerfile.appview \ 30 30 . 31 31 32 32 buildah push \ 33 - ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-appview:latest 33 + ${IMAGE_REGISTRY}/${IMAGE_USER}/appview:latest 34 34 35 35 - name: Build and push Hold image 36 36 command: | 37 37 buildah bud \ 38 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-hold:${TANGLED_REF_NAME} \ 39 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-hold:latest \ 38 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/hold:${TANGLED_REF_NAME} \ 39 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/hold:latest \ 40 40 --file ./Dockerfile.hold \ 41 41 . 42 42 43 43 buildah push \ 44 - ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-hold:latest 44 + ${IMAGE_REGISTRY}/${IMAGE_USER}/hold:latest
+20 -10
pkg/appview/middleware/registry.go
··· 404 404 } 405 405 406 406 // Get access token for PDS operations 407 - // Try OAuth refresher first (for users who authorized via AppView OAuth) 408 - // Fall back to Basic Auth token cache (for users who used app passwords) 407 + // Use auth method from JWT to determine client type: 408 + // - OAuth users: use session provider (DPoP-enabled) 409 + // - App-password users: use Basic Auth token cache 409 410 var atprotoClient *atproto.Client 410 411 411 - if nr.refresher != nil { 412 - // Use session provider for locked OAuth sessions 412 + if authMethod == token.AuthMethodOAuth && nr.refresher != nil { 413 + // OAuth flow: use session provider for locked OAuth sessions 413 414 // This prevents DPoP nonce race conditions during concurrent layer uploads 415 + slog.Debug("Creating ATProto client with OAuth session provider", 416 + "component", "registry/middleware", 417 + "did", did, 418 + "authMethod", authMethod) 414 419 atprotoClient = atproto.NewClientWithSessionProvider(pdsEndpoint, did, nr.refresher) 415 - } 416 - 417 - // Fall back to Basic Auth token cache if OAuth not available 418 - if atprotoClient == nil { 420 + } else { 421 + // App-password flow (or fallback): use Basic Auth token cache 419 422 accessToken, ok := auth.GetGlobalTokenCache().Get(did) 420 423 if !ok { 421 - slog.Debug("No cached access token found (neither OAuth nor Basic Auth)", "component", "registry/middleware", "did", did) 424 + slog.Debug("No cached access token found for app-password auth", 425 + "component", "registry/middleware", 426 + "did", did, 427 + "authMethod", authMethod) 422 428 accessToken = "" // Will fail on manifest push, but let it try 423 429 } else { 424 - slog.Debug("Using Basic Auth access token", "component", "registry/middleware", "did", did, "token_length", len(accessToken)) 430 + slog.Debug("Creating ATProto client with app-password", 431 + "component", "registry/middleware", 432 + "did", did, 433 + "authMethod", authMethod, 434 + "token_length", len(accessToken)) 425 435 } 426 436 atprotoClient = atproto.NewClient(pdsEndpoint, did, accessToken) 427 437 }