evan.jarrett.net / at-container-registry
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage. atcr.io
docker container atproto go
72
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix build pipeline. fix using wrong auth method when trying to push with app-password

Evan Jarrett 02fabc4a 5dff7590

+26 -16
+6 -6
.tangled/workflows/release.yml
··· 24 24 - name: Build and push AppView image 25 25 command: | 26 26 buildah bud \ 27 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-appview:${TANGLED_REF_NAME} \ 28 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-appview:latest \ 27 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/appview:${TANGLED_REF_NAME} \ 28 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/appview:latest \ 29 29 --file ./Dockerfile.appview \ 30 30 . 31 31 32 32 buildah push \ 33 - ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-appview:latest 33 + ${IMAGE_REGISTRY}/${IMAGE_USER}/appview:latest 34 34 35 35 - name: Build and push Hold image 36 36 command: | 37 37 buildah bud \ 38 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-hold:${TANGLED_REF_NAME} \ 39 - --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-hold:latest \ 38 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/hold:${TANGLED_REF_NAME} \ 39 + --tag ${IMAGE_REGISTRY}/${IMAGE_USER}/hold:latest \ 40 40 --file ./Dockerfile.hold \ 41 41 . 42 42 43 43 buildah push \ 44 - ${IMAGE_REGISTRY}/${IMAGE_USER}/atcr-hold:latest 44 + ${IMAGE_REGISTRY}/${IMAGE_USER}/hold:latest
+20 -10
pkg/appview/middleware/registry.go
··· 404 404 } 405 405 406 406 // Get access token for PDS operations 407 - // Try OAuth refresher first (for users who authorized via AppView OAuth) 408 - // Fall back to Basic Auth token cache (for users who used app passwords) 407 + // Use auth method from JWT to determine client type: 408 + // - OAuth users: use session provider (DPoP-enabled) 409 + // - App-password users: use Basic Auth token cache 409 410 var atprotoClient *atproto.Client 410 411 411 - if nr.refresher != nil { 412 - // Use session provider for locked OAuth sessions 412 + if authMethod == token.AuthMethodOAuth && nr.refresher != nil { 413 + // OAuth flow: use session provider for locked OAuth sessions 413 414 // This prevents DPoP nonce race conditions during concurrent layer uploads 415 + slog.Debug("Creating ATProto client with OAuth session provider", 416 + "component", "registry/middleware", 417 + "did", did, 418 + "authMethod", authMethod) 414 419 atprotoClient = atproto.NewClientWithSessionProvider(pdsEndpoint, did, nr.refresher) 415 - } 416 - 417 - // Fall back to Basic Auth token cache if OAuth not available 418 - if atprotoClient == nil { 420 + } else { 421 + // App-password flow (or fallback): use Basic Auth token cache 419 422 accessToken, ok := auth.GetGlobalTokenCache().Get(did) 420 423 if !ok { 421 - slog.Debug("No cached access token found (neither OAuth nor Basic Auth)", "component", "registry/middleware", "did", did) 424 + slog.Debug("No cached access token found for app-password auth", 425 + "component", "registry/middleware", 426 + "did", did, 427 + "authMethod", authMethod) 422 428 accessToken = "" // Will fail on manifest push, but let it try 423 429 } else { 424 - slog.Debug("Using Basic Auth access token", "component", "registry/middleware", "did", did, "token_length", len(accessToken)) 430 + slog.Debug("Creating ATProto client with app-password", 431 + "component", "registry/middleware", 432 + "did", did, 433 + "authMethod", authMethod, 434 + "token_length", len(accessToken)) 425 435 } 426 436 atprotoClient = atproto.NewClient(pdsEndpoint, did, accessToken) 427 437 }