Skip to content

Fix token overwritten by empty access_token field (fixes #801) #856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thesayyn merged 1 commit into from
Nov 7, 2025
Merged

Fix token overwritten by empty access_token field (fixes #801) #856

thesayyn merged 1 commit into from
Nov 7, 2025
+1 −1

Conversation

@WnP
Copy link
Contributor

@WnP WnP commented Oct 22, 2025

Fixes #801

Problem

When a registry returns both "token" and "access_token" fields in the authentication response, the current logic unconditionally overwrites the
token value with access_token, even when access_token is empty.

This causes authentication failures with registries like Harbor that return:

{"token": "eyJ...", "access_token": "", "expires_in": 1800, "issued_at": "..."}

The second if statement overwrites the valid JWT token with an empty string, leading to "could not find token" errors.

Solution

Changed the condition from:

if "access_token" in auth:
    token = auth["access_token"]

To:

if "access_token" in auth and auth["access_token"]:
    token = auth["access_token"]

This only uses access_token when it's non-empty, fixing authentication for registries that return both fields with an empty access_token.

Tested

  • ✅ Harbor registry (public repos without Docker credentials)
  • ✅ Docker Hub (existing functionality unchanged)

@WnP
fix: registry token overwritten by empty access_token
2f582f7 
Registries may return both "token" and "access_token" fields,
with access_token being empty (e.g., Harbor).
The second `if` unconditionally overwrites token with access_token,
even when access_token is empty.

Check access_token is non-empty before using it.
@aspect-workflows
Copy link

aspect-workflows bot commented Oct 22, 2025
edited
Loading

Test

⚠️ Buildkite build #161 failed.

//oci/tests:pull_ubuntu_linux_arm64_v8 failed to build

local spawn failed for RunBinary
 
Error: GET https://index.docker.io/v2/library/ubuntu/manifests/sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21: TOOMANYREQUESTS: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

//oci/tests:pull_fluxcd_flux_single failed to build

local spawn failed for RunBinary
 
Error: GET https://index.docker.io/v2/fluxcd/flux/manifests/1.25.4: TOOMANYREQUESTS: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

💡 To reproduce the build failures, run

bazel build //oci/tests:pull_ubuntu_linux_arm64_v8 //oci/tests:pull_fluxcd_flux_single

@WnP
Copy link
Contributor Author

WnP commented Oct 22, 2025

The CI failures are due to Docker Hub rate limits, not related to this fix. For example:

Error: GET https://index.docker.io/...: TOOMANYREQUESTS: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

@thesayyn thesayyn merged commit d34b633 into bazel-contrib:main Nov 7, 2025
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thesayyn thesayyn thesayyn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docker pull can pull images from our Harbor, but oci.pull cannot. No auth is required

2 participants

@WnP @thesayyn