A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
atcr.io
docker
container
atproto
go
use transition:generic for now :(
+4
-3
+1
pkg/appview/middleware/registry.go
+1
pkg/appview/middleware/registry.go
···
178
178
// Call com.atproto.server.getServiceAuth on the user's PDS
179
179
// Request 5-minute expiry (PDS may grant less)
180
180
// exp must be absolute Unix timestamp, not relative duration
181
+
// Note: OAuth scope includes #atcr_hold fragment, but service auth aud must be bare DID
181
182
expiryTime := time.Now().Unix() + 300 // 5 minutes from now
182
183
serviceAuthURL := fmt.Sprintf("%s%s?aud=%s&lxm=%s&exp=%d",
183
184
pdsEndpoint,
+3
-3
pkg/auth/oauth/client.go
+3
-3
pkg/auth/oauth/client.go
···
133
133
// OCI artifact manifests (for cosign signatures, SBOMs, attestations)
134
134
"blob:application/vnd.cncf.oras.artifact.manifest.v1+json",
135
135
}
136
+
137
+
scopes = append(scopes, "transition:generic")
136
138
137
139
// In test mode: use transition:generic (local dev with test PDS)
138
140
// In production: use rpc scope for service auth
139
-
if testMode {
140
-
scopes = append(scopes, "transition:generic")
141
-
} else {
141
+
if !testMode {
142
142
scopes = append(scopes, fmt.Sprintf("rpc:com.atproto.repo.getRecord?aud=%s#atcr_hold", did))
143
143
}
144
144